2653959f3304e69c4246754f1f0b863eab31eae935db15263458f3c1d541685e

Analysis

max time kernel
150s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 10:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Shipping documents.exe
Size

1.2MB
MD5

94d9196b5dd6c93f15185cbef9d358f0
SHA1

adbaaf5906c40bf63b5ceb77d9529d9a9fc8e921
SHA256

dc3b1f6423664983de04a71975d79a02d53d84c9fd624579f60c2c666bfe2ba5
SHA512

01b2d14934f7c44c2475c9173c87d67c1b9a9074d55c0c8dd8e4812f550357aa946a25fdb45be234d71fc2dee3727ca340bacd2db16f778fc865e2add59e56d5
SSDEEP

24576:yqDEvCTbMWu7rQYlBQcBiT6rprG8aVr4xGnl45uDbWQkMz:yTvC/MTQYxsWR7aVrsru+n

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping documents.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3436	Shipping documents.exe
4544	Shipping documents.exe
1560	Shipping documents.exe
1988	Shipping documents.exe
4272	Shipping documents.exe
1480	Shipping documents.exe
2884	Shipping documents.exe
5096	Shipping documents.exe
3048	Shipping documents.exe
2264	Shipping documents.exe
1240	Shipping documents.exe
4440	Shipping documents.exe
228	Shipping documents.exe
4644	Shipping documents.exe
2144	Shipping documents.exe
1084	Shipping documents.exe
668	Shipping documents.exe
3120	Shipping documents.exe
3288	Shipping documents.exe
4600	Shipping documents.exe
4404	Shipping documents.exe
4520	Shipping documents.exe
4344	Shipping documents.exe
3272	Shipping documents.exe
2864	Shipping documents.exe
1116	Shipping documents.exe
1964	Shipping documents.exe
2580	Shipping documents.exe
3896	Shipping documents.exe
1676	Shipping documents.exe
2916	Shipping documents.exe
988	Shipping documents.exe
1088	Shipping documents.exe
5068	Shipping documents.exe
3132	Shipping documents.exe
796	Shipping documents.exe
5036	Shipping documents.exe
792	Shipping documents.exe
3700	Shipping documents.exe
4940	Shipping documents.exe
5088	Shipping documents.exe
5028	Shipping documents.exe
960	Shipping documents.exe
3304	Shipping documents.exe
4492	Shipping documents.exe
820	Shipping documents.exe
392	Shipping documents.exe
2452	Shipping documents.exe
5076	Shipping documents.exe
4468	Shipping documents.exe
2816	Shipping documents.exe
2628	Shipping documents.exe
4836	Shipping documents.exe
536	Shipping documents.exe
3632	Shipping documents.exe
5100	Shipping documents.exe
1440	Shipping documents.exe
1100	Shipping documents.exe
1864	Shipping documents.exe
4316	Shipping documents.exe
3068	Shipping documents.exe
4548	Shipping documents.exe
2256	Shipping documents.exe
1188	Shipping documents.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1620	Shipping documents.exe
1620	Shipping documents.exe
1620	Shipping documents.exe
1620	Shipping documents.exe
3632	Shipping documents.exe
3632	Shipping documents.exe
3952	Shipping documents.exe
3952	Shipping documents.exe
1084	Shipping documents.exe
1084	Shipping documents.exe
4468	Shipping documents.exe
4468	Shipping documents.exe
4544	Shipping documents.exe
4544	Shipping documents.exe
3896	Shipping documents.exe
3896	Shipping documents.exe
936	Shipping documents.exe
936	Shipping documents.exe
2092	Shipping documents.exe
2092	Shipping documents.exe
3028	Shipping documents.exe
3028	Shipping documents.exe
1480	Shipping documents.exe
1480	Shipping documents.exe
4892	Shipping documents.exe
4892	Shipping documents.exe
4344	Shipping documents.exe
4344	Shipping documents.exe
5028	Shipping documents.exe
5028	Shipping documents.exe
3808	Shipping documents.exe
3808	Shipping documents.exe
4232	Shipping documents.exe
4232	Shipping documents.exe
1412	Shipping documents.exe
1412	Shipping documents.exe
2832	Shipping documents.exe
2832	Shipping documents.exe
1648	Shipping documents.exe
1648	Shipping documents.exe
3976	Shipping documents.exe
3976	Shipping documents.exe
312	Shipping documents.exe
312	Shipping documents.exe
3272	Shipping documents.exe
3272	Shipping documents.exe
3596	Shipping documents.exe
3596	Shipping documents.exe
2864	Shipping documents.exe
2864	Shipping documents.exe
4440	Shipping documents.exe
4440	Shipping documents.exe
3132	Shipping documents.exe
3132	Shipping documents.exe
3136	Shipping documents.exe
3136	Shipping documents.exe
4548	Shipping documents.exe
4548	Shipping documents.exe
1332	Shipping documents.exe
1332	Shipping documents.exe
3652	Shipping documents.exe
3652	Shipping documents.exe
5100	Shipping documents.exe
5100	Shipping documents.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1620	Shipping documents.exe
1620	Shipping documents.exe
1620	Shipping documents.exe
1620	Shipping documents.exe
3632	Shipping documents.exe
3632	Shipping documents.exe
3952	Shipping documents.exe
3952	Shipping documents.exe
1084	Shipping documents.exe
1084	Shipping documents.exe
4468	Shipping documents.exe
4468	Shipping documents.exe
4544	Shipping documents.exe
4544	Shipping documents.exe
3896	Shipping documents.exe
3896	Shipping documents.exe
936	Shipping documents.exe
936	Shipping documents.exe
2092	Shipping documents.exe
2092	Shipping documents.exe
3028	Shipping documents.exe
3028	Shipping documents.exe
1480	Shipping documents.exe
1480	Shipping documents.exe
4892	Shipping documents.exe
4892	Shipping documents.exe
4344	Shipping documents.exe
4344	Shipping documents.exe
5028	Shipping documents.exe
5028	Shipping documents.exe
3808	Shipping documents.exe
3808	Shipping documents.exe
4232	Shipping documents.exe
4232	Shipping documents.exe
1412	Shipping documents.exe
1412	Shipping documents.exe
2832	Shipping documents.exe
2832	Shipping documents.exe
1648	Shipping documents.exe
1648	Shipping documents.exe
3976	Shipping documents.exe
3976	Shipping documents.exe
312	Shipping documents.exe
312	Shipping documents.exe
3272	Shipping documents.exe
3272	Shipping documents.exe
3596	Shipping documents.exe
3596	Shipping documents.exe
2864	Shipping documents.exe
2864	Shipping documents.exe
4440	Shipping documents.exe
4440	Shipping documents.exe
3132	Shipping documents.exe
3132	Shipping documents.exe
3136	Shipping documents.exe
3136	Shipping documents.exe
4548	Shipping documents.exe
4548	Shipping documents.exe
1332	Shipping documents.exe
1332	Shipping documents.exe
3652	Shipping documents.exe
3652	Shipping documents.exe
5100	Shipping documents.exe
5100	Shipping documents.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 3632	1620	Shipping documents.exe	86
PID 1620 wrote to memory of 3632	1620	Shipping documents.exe	86
PID 1620 wrote to memory of 3632	1620	Shipping documents.exe	86
PID 3632 wrote to memory of 3952	3632	Shipping documents.exe	87
PID 3632 wrote to memory of 3952	3632	Shipping documents.exe	87
PID 3632 wrote to memory of 3952	3632	Shipping documents.exe	87
PID 3952 wrote to memory of 1084	3952	Shipping documents.exe	88
PID 3952 wrote to memory of 1084	3952	Shipping documents.exe	88
PID 3952 wrote to memory of 1084	3952	Shipping documents.exe	88
PID 1084 wrote to memory of 4468	1084	Shipping documents.exe	91
PID 1084 wrote to memory of 4468	1084	Shipping documents.exe	91
PID 1084 wrote to memory of 4468	1084	Shipping documents.exe	91
PID 4468 wrote to memory of 4544	4468	Shipping documents.exe	94
PID 4468 wrote to memory of 4544	4468	Shipping documents.exe	94
PID 4468 wrote to memory of 4544	4468	Shipping documents.exe	94
PID 4544 wrote to memory of 3896	4544	Shipping documents.exe	95
PID 4544 wrote to memory of 3896	4544	Shipping documents.exe	95
PID 4544 wrote to memory of 3896	4544	Shipping documents.exe	95
PID 3896 wrote to memory of 936	3896	Shipping documents.exe	96
PID 3896 wrote to memory of 936	3896	Shipping documents.exe	96
PID 3896 wrote to memory of 936	3896	Shipping documents.exe	96
PID 936 wrote to memory of 2092	936	Shipping documents.exe	98
PID 936 wrote to memory of 2092	936	Shipping documents.exe	98
PID 936 wrote to memory of 2092	936	Shipping documents.exe	98
PID 2092 wrote to memory of 3028	2092	Shipping documents.exe	99
PID 2092 wrote to memory of 3028	2092	Shipping documents.exe	99
PID 2092 wrote to memory of 3028	2092	Shipping documents.exe	99
PID 3028 wrote to memory of 1480	3028	Shipping documents.exe	100
PID 3028 wrote to memory of 1480	3028	Shipping documents.exe	100
PID 3028 wrote to memory of 1480	3028	Shipping documents.exe	100
PID 1480 wrote to memory of 4892	1480	Shipping documents.exe	103
PID 1480 wrote to memory of 4892	1480	Shipping documents.exe	103
PID 1480 wrote to memory of 4892	1480	Shipping documents.exe	103
PID 4892 wrote to memory of 4344	4892	Shipping documents.exe	104
PID 4892 wrote to memory of 4344	4892	Shipping documents.exe	104
PID 4892 wrote to memory of 4344	4892	Shipping documents.exe	104
PID 4344 wrote to memory of 5028	4344	Shipping documents.exe	105
PID 4344 wrote to memory of 5028	4344	Shipping documents.exe	105
PID 4344 wrote to memory of 5028	4344	Shipping documents.exe	105
PID 5028 wrote to memory of 3808	5028	Shipping documents.exe	106
PID 5028 wrote to memory of 3808	5028	Shipping documents.exe	106
PID 5028 wrote to memory of 3808	5028	Shipping documents.exe	106
PID 3808 wrote to memory of 4232	3808	Shipping documents.exe	107
PID 3808 wrote to memory of 4232	3808	Shipping documents.exe	107
PID 3808 wrote to memory of 4232	3808	Shipping documents.exe	107
PID 4232 wrote to memory of 1412	4232	Shipping documents.exe	108
PID 4232 wrote to memory of 1412	4232	Shipping documents.exe	108
PID 4232 wrote to memory of 1412	4232	Shipping documents.exe	108
PID 1412 wrote to memory of 2832	1412	Shipping documents.exe	109
PID 1412 wrote to memory of 2832	1412	Shipping documents.exe	109
PID 1412 wrote to memory of 2832	1412	Shipping documents.exe	109
PID 2832 wrote to memory of 1648	2832	Shipping documents.exe	110
PID 2832 wrote to memory of 1648	2832	Shipping documents.exe	110
PID 2832 wrote to memory of 1648	2832	Shipping documents.exe	110
PID 1648 wrote to memory of 3976	1648	Shipping documents.exe	111
PID 1648 wrote to memory of 3976	1648	Shipping documents.exe	111
PID 1648 wrote to memory of 3976	1648	Shipping documents.exe	111
PID 3976 wrote to memory of 312	3976	Shipping documents.exe	112
PID 3976 wrote to memory of 312	3976	Shipping documents.exe	112
PID 3976 wrote to memory of 312	3976	Shipping documents.exe	112
PID 312 wrote to memory of 3272	312	Shipping documents.exe	114
PID 312 wrote to memory of 3272	312	Shipping documents.exe	114
PID 312 wrote to memory of 3272	312	Shipping documents.exe	114
PID 3272 wrote to memory of 3596	3272	Shipping documents.exe	115

C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
  "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
    "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
    3⤵
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
      "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1084
    - - C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4468
      - C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        8⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        10⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        15⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        16⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        17⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        18⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        19⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        20⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        21⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        23⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        25⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        27⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        28⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        29⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        30⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        31⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        32⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        34⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        39⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        41⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        45⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        46⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        47⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        49⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        50⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        51⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        52⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        53⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        56⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        57⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        60⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        63⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        65⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        66⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        67⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        69⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        70⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        71⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        72⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        73⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        74⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        75⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        77⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        78⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        80⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        82⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        83⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        84⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        86⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        87⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        88⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        90⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        92⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        93⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        94⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        96⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        97⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        98⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        99⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        100⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        102⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        103⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        104⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        105⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        107⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        108⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        109⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        114⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        116⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        117⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        118⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        120⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        122⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        123⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        124⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        125⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        126⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        127⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        128⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"
        129⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autBC5B.tmp

Filesize
279KB

MD5
a55c5b6c35d1211977c7a498d3a93149

SHA1
0fdef860d7a55559d33989162ac30ab6266d947a

SHA256
6a21b0d52a0fd6ab20d1dca3b461d49f564b22838ec84ebabdd80c0c6d46f2ce

SHA512
9a0ea42fb61ce5ea3f9008b86a4bbb3af8de94f2381d72686edde80583cc62dcb62bd3f269c48bcd59d4eb4003082c070acea59c12dac239b02ce824c374c452

Download Submit
C:\Users\Admin\AppData\Local\Temp\autCF86.tmp

Filesize
9KB

MD5
f99c0644415b6540ed9517fd18e13856

SHA1
af1eec6607f389716d24590c96d5f8d7fca91cb1

SHA256
06921525d76a5bcd398274661fe6e14cbbeed43e9a92a4547a4f754bef44cd5d

SHA512
a3de325e3a991d48cb01fe81b4f68d01e1324fe8660df18c3d85f45066808a142e38764f24fc4a1170992847f8a72d4aee6a2ca7512c3a2ed86d8b014d6c82d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nondefinition

Filesize
28KB

MD5
1beceb1b0d2ecf7087f5ace1d3f3edd1

SHA1
1d8eda446acd0373b364d55037ce234917beeb86

SHA256
03002e68255dc8194d01c13e414d8c622714c318e16c906e35d06945f351483f

SHA512
5851718270f76dcd0de5f6d5e168bf881c8ca20b3e92825f6ec6810b400137e54de244e472f0bc9391878188552a5d41687cfc1c7dbb8181ba7b37e0bc08cd5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nondefinition

Filesize
28KB

MD5
af146a23a2bce54b5f9c4df4959ca4de

SHA1
9b54498a2f08f802525470044f07e00d8fb2895f

SHA256
b5e2b36b16bcf1cca03b8680c7b92eb435cfd27596acbdf2a26ec7fa9e21e694

SHA512
c6039ef362fab4bcc9982fbcc2fd4e9e3e2bae9bf16a9dfb88a3c8b12550a4eba04c285630192cfbb5327f282efbea4d82303d5af8375c14c5654573200b5135

Download Submit
memory/1620-13-0x0000000000730000-0x0000000000734000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads