Windows Analysis Report
Document for shipping.exe

Overview

General Information

Sample name:	Document for shipping.exe
Analysis ID:	1427769
MD5:	e8e193c463155c347c1a4cd828e5947f
SHA1:	2c3ddd91660d4590ed48aad854d3568dea951af3
SHA256:	f4153f8494d015bbe6740d237a848dc9898726b4812f015d47c80eac08fe5e12
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Detected potential crypto function

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Scan Loop Network

Uses 32bit PE files

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: Document for shipping.exe	ReversingLabs: Detection: 21%
Source: Document for shipping.exe	Virustotal: Detection: 28%			Perma Link

Machine Learning detection for sample

Source: Document for shipping.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: Document for shipping.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Document for shipping.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: %%.pdbis( source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\PresentationFramework.pdb source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\WindowsBase.pdbe source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbSystem.ni.dllH source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbsT source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb\|Q source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdbb source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000797000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdbbxo source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000797000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: WindowsBase.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\Document for shipping.PDB$y source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: PresentationCore.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xml.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: WindowsBase.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Users\user\Desktop\Document for shipping.PDBad source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb]QF source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.pdbMZ@ source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xml.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: PresentationCore.ni.pdbRSDS:Ne source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: vk.pdb source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.pdb(\|s source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: p0C:\Windows\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: PresentationCore.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\PresentationFramework.pdbpdbork.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbn source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\PresentationFramework.pdbg.D source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\WindowsBase.pdbpdbase.pdbbQS source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\WindowsBase.pdb source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.pdbp source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr

Source: Document for shipping.exe, 00000003.00000002.81165521175.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MainWindow.xamld
Source: Document for shipping.exe, 00000003.00000002.81165521175.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/MainWindow.xaml
Source: Document for shipping.exe, 00000003.00000002.81165521175.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/mainwindow.baml
Source: Document for shipping.exe, 00000003.00000002.81165521175.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/mainwindow.bamld
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net

System Summary

.NET source code contains very large array initializations

Source: Document for shipping.exe, --.cs

Large array initialization: _0002: array initializer size 672632

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Document for shipping.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\Document for shipping.exe	Code function: 3_2_02382BC2	3_2_02382BC2
Source: C:\Users\user\Desktop\Document for shipping.exe	Code function: 3_2_0238182E	3_2_0238182E
Source: C:\Users\user\Desktop\Document for shipping.exe	Code function: 3_2_023828B0	3_2_023828B0
Source: C:\Users\user\Desktop\Document for shipping.exe	Code function: 3_2_02381846	3_2_02381846
Source: C:\Users\user\Desktop\Document for shipping.exe	Code function: 3_2_02381098	3_2_02381098
Source: C:\Users\user\Desktop\Document for shipping.exe	Code function: 3_2_02381D00	3_2_02381D00
Source: C:\Users\user\Desktop\Document for shipping.exe	Code function: 3_2_02382951	3_2_02382951

One or more processes crash

Source: C:\Users\user\Desktop\Document for shipping.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 1180

Sample file is different than original file name gathered from version info

Source: Document for shipping.exe, 00000003.00000000.81129385221.0000000000134000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameZvTD.exe< vs Document for shipping.exe
Source: Document for shipping.exe, 00000003.00000002.81164265279.000000000071E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Document for shipping.exe
Source: Document for shipping.exe	Binary or memory string: OriginalFilenameZvTD.exe< vs Document for shipping.exe

Uses 32bit PE files

Source: Document for shipping.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Document for shipping.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal64.evad.winEXE@2/6@0/0

Source: C:\Users\user\Desktop\Document for shipping.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7148

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\7dd8211d-103a-414a-8fd3-c03277b4785f

Jump to behavior

Source: Document for shipping.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Document for shipping.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Document for shipping.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Document for shipping.exe	ReversingLabs: Detection: 21%
Source: Document for shipping.exe	Virustotal: Detection: 28%

Source: C:\Users\user\Desktop\Document for shipping.exe

File read: C:\Users\user\Desktop\Document for shipping.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Document for shipping.exe "C:\Users\user\Desktop\Document for shipping.exe"
Source: C:\Users\user\Desktop\Document for shipping.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 1180

Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Document for shipping.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Document for shipping.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Document for shipping.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Document for shipping.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: %%.pdbis( source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\PresentationFramework.pdb source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\WindowsBase.pdbe source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbSystem.ni.dllH source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbsT source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb\|Q source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdbb source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000797000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdbbxo source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000797000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: WindowsBase.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\Document for shipping.PDB$y source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: PresentationCore.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xml.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: WindowsBase.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Users\user\Desktop\Document for shipping.PDBad source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb]QF source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.pdbMZ@ source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xml.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: PresentationCore.ni.pdbRSDS:Ne source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: vk.pdb source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.pdb(\|s source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: p0C:\Windows\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: PresentationCore.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\PresentationFramework.pdbpdbork.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbn source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\PresentationFramework.pdbg.D source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\WindowsBase.pdbpdbase.pdbbQS source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\WindowsBase.pdb source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.pdbp source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: Document for shipping.exe, --.cs

.Net Code: _0003 System.Reflection.Assembly.Load(byte[])

Source: Document for shipping.exe

Static PE information: section name: .text entropy: 7.967944103480401

Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Document for shipping.exe	Memory allocated: 2380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Memory allocated: 2580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Memory allocated: 4580000 memory reserve \| memory write watch	Jump to behavior

Source: Amcache.hve.6.dr

Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Document for shipping.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Document for shipping.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Document for shipping.exe

Queries volume information: C:\Users\user\Desktop\Document for shipping.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Document for shipping.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.2107.4-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Multi AV Scanner detection for submitted file

Source: Document for shipping.exe	ReversingLabs: Detection: 21%
Source: Document for shipping.exe	Virustotal: Detection: 28%			Perma Link

Machine Learning detection for sample

Source: Document for shipping.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: Document for shipping.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Document for shipping.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: %%.pdbis( source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\PresentationFramework.pdb source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\WindowsBase.pdbe source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbSystem.ni.dllH source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbsT source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb\|Q source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdbb source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000797000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdbbxo source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000797000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: WindowsBase.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\Document for shipping.PDB$y source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: PresentationCore.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xml.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: WindowsBase.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Users\user\Desktop\Document for shipping.PDBad source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb]QF source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.pdbMZ@ source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xml.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: PresentationCore.ni.pdbRSDS:Ne source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: vk.pdb source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.pdb(\|s source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: p0C:\Windows\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: PresentationCore.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\PresentationFramework.pdbpdbork.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbn source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\PresentationFramework.pdbg.D source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\WindowsBase.pdbpdbase.pdbbQS source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\WindowsBase.pdb source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.pdbp source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr

Source: Document for shipping.exe, 00000003.00000002.81165521175.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MainWindow.xamld
Source: Document for shipping.exe, 00000003.00000002.81165521175.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/MainWindow.xaml
Source: Document for shipping.exe, 00000003.00000002.81165521175.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/mainwindow.baml
Source: Document for shipping.exe, 00000003.00000002.81165521175.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/mainwindow.bamld
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net

System Summary

.NET source code contains very large array initializations

Source: Document for shipping.exe, --.cs

Large array initialization: _0002: array initializer size 672632

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Document for shipping.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\Document for shipping.exe	Code function: 3_2_02382BC2	3_2_02382BC2
Source: C:\Users\user\Desktop\Document for shipping.exe	Code function: 3_2_0238182E	3_2_0238182E
Source: C:\Users\user\Desktop\Document for shipping.exe	Code function: 3_2_023828B0	3_2_023828B0
Source: C:\Users\user\Desktop\Document for shipping.exe	Code function: 3_2_02381846	3_2_02381846
Source: C:\Users\user\Desktop\Document for shipping.exe	Code function: 3_2_02381098	3_2_02381098
Source: C:\Users\user\Desktop\Document for shipping.exe	Code function: 3_2_02381D00	3_2_02381D00
Source: C:\Users\user\Desktop\Document for shipping.exe	Code function: 3_2_02382951	3_2_02382951

One or more processes crash

Source: C:\Users\user\Desktop\Document for shipping.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 1180

Sample file is different than original file name gathered from version info

Source: Document for shipping.exe, 00000003.00000000.81129385221.0000000000134000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameZvTD.exe< vs Document for shipping.exe
Source: Document for shipping.exe, 00000003.00000002.81164265279.000000000071E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Document for shipping.exe
Source: Document for shipping.exe	Binary or memory string: OriginalFilenameZvTD.exe< vs Document for shipping.exe

Uses 32bit PE files

Source: Document for shipping.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Document for shipping.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal64.evad.winEXE@2/6@0/0

Source: C:\Users\user\Desktop\Document for shipping.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7148

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\7dd8211d-103a-414a-8fd3-c03277b4785f

Jump to behavior

Source: Document for shipping.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Document for shipping.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Document for shipping.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Document for shipping.exe	ReversingLabs: Detection: 21%
Source: Document for shipping.exe	Virustotal: Detection: 28%

Source: C:\Users\user\Desktop\Document for shipping.exe

File read: C:\Users\user\Desktop\Document for shipping.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Document for shipping.exe "C:\Users\user\Desktop\Document for shipping.exe"
Source: C:\Users\user\Desktop\Document for shipping.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 1180

Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Document for shipping.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Document for shipping.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Document for shipping.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Document for shipping.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: %%.pdbis( source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\PresentationFramework.pdb source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\WindowsBase.pdbe source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbSystem.ni.dllH source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbsT source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb\|Q source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdbb source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000797000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdbbxo source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000797000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: WindowsBase.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\Document for shipping.PDB$y source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: PresentationCore.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xml.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: WindowsBase.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Users\user\Desktop\Document for shipping.PDBad source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb]QF source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.pdbMZ@ source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.0000000000753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xml.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: PresentationCore.ni.pdbRSDS:Ne source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: vk.pdb source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.pdb(\|s source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: p0C:\Windows\mscorlib.pdb source: Document for shipping.exe, 00000003.00000002.81164074176.00000000004F6000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: PresentationCore.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Xaml.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\PresentationFramework.pdbpdbork.pdb source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbn source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\PresentationFramework.pdbg.D source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\WindowsBase.pdbpdbase.pdbbQS source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\WindowsBase.pdb source: Document for shipping.exe, 00000003.00000002.81166811438.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.pdbp source: Document for shipping.exe, 00000003.00000002.81164265279.00000000007B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER52C7.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER52C7.tmp.dmp.6.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: Document for shipping.exe, --.cs

.Net Code: _0003 System.Reflection.Assembly.Load(byte[])

Source: Document for shipping.exe

Static PE information: section name: .text entropy: 7.967944103480401

Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Document for shipping.exe	Memory allocated: 2380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Memory allocated: 2580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Memory allocated: 4580000 memory reserve \| memory write watch	Jump to behavior

Source: Amcache.hve.6.dr

Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Document for shipping.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Document for shipping.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Document for shipping.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Document for shipping.exe

Queries volume information: C:\Users\user\Desktop\Document for shipping.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Document for shipping.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.2107.4-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

ID:	1427769
Product:	CloudBasic
Start time:	06:26:15
Start date:	18.04.2024
Sample:	Document for shipping.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	e8e193c463155c347c1a4cd828e5947f
SHA1:	2c3ddd91660d4590ed48aad854d3568dea951af3
SHA256:	f4153f8494d015bbe6740d237a848dc9898726b4812f015d47c80eac08fe5e12
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Document for shi_1e66adbaabbf5113cadc695eb21a9b827719b085_a5a929e4_dc820042-fdf7-4e79-be5a-b9c3276b8ecf\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	7770CE098BBF60DC0A7585E2E970E4E7	B3B1F5CFDEAE76940A39472CA6FA7E4BB1E15B26	DD265B126B5B7281F0C6D9EC8E08499AFF441AD0F01DAB7F747F3FBD35D3F27A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER52C7.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Apr 18 04:28:20 2024, 0x1205a4 type	AD557C78492AE89D2E1C6DDFB9500715	5FE5C6438F880ED8E99D398A50358E11E785C856	9E7D114262DE5BD3CDB07C59A6BEA4C0385E0FDC139FF7A4247EBA8EBEDCDCE0
C:\ProgramData\Microsoft\Windows\WER\Temp\WER53B2.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	5E85C1F6812F7FB4F98D3E209B824379	9191DAD8F8E20DE1B20C1A908EDD184E4CCC1D7B	5DF35D005009E700EBC76E29C6EB65286D03D8C60CD580E593E69E80DBA5E54A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER53E2.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	01410F6FFEA68F4E1F695C3462237785	AC09EB4657AF153D8D9CE36F7D9EEF3BBEDBFD22	DC176D47CE99843DFFEF384AE8E8B39CC19AA075AC5C20EE5725BC72EE35B71E
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	1D3B008A14C32E07C88C71F2826A91C0	393833C88BFFABDB5348897A16F67226336B95AB	38E532A7A798A1A50B940F3438D93F4DB2853B9752CA91202337AFB43C3B630D
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	436DCEE777C12F315E2868D79F74B83B	7AE0084432193786D3778048CDB00F959542A5D1	2CAAD0317D08F23C0FE5070C9086CEB497B88F8CCAF62DCAE79E3AFC2951C100

Windows Analysis Report
Document for shipping.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report Document for shipping.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
Document for shipping.exe