Analysis Report Shipping-Document.com

Overview

General Information

Sample Name:	Shipping-Document.com (renamed file extension from com to exe)
Analysis ID:	321421
MD5:	47f1684c0075aea74bb225586d55b6e3
SHA1:	7198622c341f1f6982eb20ac7a431508289df924
SHA256:	58ba104e01f9650518e256c03102a8105428e761988ce5905de77cd45a53ad90
Most interesting Screenshot:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected MassLogger RAT

.NET source code references suspicious native API functions

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

May check the online IP address of the machine

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: Log.txt.26.dr.binstr

Malware Configuration Extractor: MassLogger {"Config: ": ["00000000 -> <|| v2.4.0.0 ||>", "User Name: user", "IP: 84.17.52.25", "Location: United States", "Windows OS: Microsoft Windows 10 Pro 64bit", "Windows Serial Key: VG7NF-BJ77Y-WRF7X-GJVW7-H3M8T", "CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "GPU: Microsoft Basic Display Adapter", "AV: Windows Defender", "Screen Resolution: 1280x1024", "Current Time: 11/21/2020 10:23:00 PM", "MassLogger Started: 11/21/2020 10:22:56 PM", "Interval: 2 hour", "MassLogger Process: C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe", "MassLogger Melt: false", "MassLogger Exit after delivery: false", "As Administrator: True", "Processes:", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "<|| WD Exclusion ||>", "Disabled", "<|| Binder ||>", "Disabled", "<|| Downloader ||>", "Disabled", "<|| Window Searcher ||>", "Disabled", "<|| Bot Killer ||>", "Disabled", "<|| Search And Upload ||>", "Disabled", "<|| Telegram Desktop ||>", "Not Installed", "<|| Pidgin ||>", "Not Installed", "<|| FileZilla ||>", "Not Installed", "<|| Discord Tokken ||>", "Not Installed", "<|| NordVPN ||>", "Not Installed", "<|| Outlook ||>", "Not Installed", "<|| FoxMail ||>", "Not Installed", "<|| Thunderbird ||>", "Not Installed", "<|| FireFox ||>", "Not Installed", "<|| QQ Browser ||>", "Not Installed", "<|| Chromium Recovery ||>", "Not Installed or Not Found", "<|| Keylogger And Clipboard ||>", "NA"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Virustotal: Detection: 20%			Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	ReversingLabs: Detection: 20%

Multi AV Scanner detection for submitted file

Source: Shipping-Document.exe	Virustotal: Detection: 20%			Perma Link
Source: Shipping-Document.exe	ReversingLabs: Detection: 20%

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior

Networking:

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 54.243.164.148 54.243.164.148
Source: Joe Sandbox View	IP Address: 54.243.164.148 54.243.164.148
Source: Joe Sandbox View	IP Address: 54.235.142.93 54.235.142.93
Source: Joe Sandbox View	IP Address: 54.235.142.93 54.235.142.93

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive

Source: Shipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp

String found in binary or memory: fUsage: https://www.youtube.com/watch?v=Qxk6cu21JSg equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: Shipping-Document.exe, 00000005.00000002.485116357.0000000002FB4000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org
Source: Shipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org/
Source: Shipping-Document.exe, 00000005.00000002.484657984.0000000002EDA000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.485932807.0000000002D0F000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.485514489.0000000003130000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org/P
Source: Shipping-Document.exe, 00000005.00000002.484657984.0000000002EDA000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.485932807.0000000002D0F000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.485514489.0000000003130000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org/p
Source: Shipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.orgD
Source: vlc.exe, 0000001A.00000002.485514489.0000000003130000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify8
Source: vlc.exe, 00000016.00000002.486012293.0000000002D1B000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify8R
Source: Shipping-Document.exe, 00000005.00000002.485070930.0000000002FAF000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify8v
Source: Shipping-Document.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: Shipping-Document.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: Shipping-Document.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Shipping-Document.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Shipping-Document.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Shipping-Document.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: Shipping-Document.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Shipping-Document.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Shipping-Document.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Shipping-Document.exe	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: Shipping-Document.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Shipping-Document.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Shipping-Document.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: Shipping-Document.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Shipping-Document.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Shipping-Document.exe	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: Shipping-Document.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Shipping-Document.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Shipping-Document.exe, 00000005.00000002.485116357.0000000002FB4000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.486045579.0000000002D20000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.485599592.0000000003142000.00000004.00000001.sdmp	String found in binary or memory: http://elb097307-934924932.us-east-1.elb.amazonaws.com
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Shipping-Document.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Shipping-Document.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Shipping-Document.exe	String found in binary or memory: http://ocsp.digicert.com0L
Source: Shipping-Document.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: Shipping-Document.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: Shipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: vlc.exe, 0000001A.00000002.488438717.0000000004091000.00000004.00000001.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: Shipping-Document.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Shipping-Document.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: Shipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/watch?v=Qxk6cu21JSg

System Summary:

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Shipping-Document.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 0_2_0278C1B4	0_2_0278C1B4
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 0_2_0278E610	0_2_0278E610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 0_2_0278E600	0_2_0278E600
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 3_2_003F4667	3_2_003F4667
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 5_2_00994667	5_2_00994667
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 5_2_05270790	5_2_05270790
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 5_2_05270507	5_2_05270507
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 5_2_05270518	5_2_05270518
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 5_2_052760FB	5_2_052760FB
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 5_2_06970818	5_2_06970818
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 5_2_06976561	5_2_06976561
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 5_2_06976568	5_2_06976568
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 12_2_00BE4667	12_2_00BE4667
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 12_2_0176C1B4	12_2_0176C1B4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 12_2_0176E610	12_2_0176E610
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 12_2_0176E600	12_2_0176E600
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 12_2_08A454C8	12_2_08A454C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 14_2_000B4667	14_2_000B4667
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 14_2_00A5C1B4	14_2_00A5C1B4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 14_2_00A5E600	14_2_00A5E600
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 14_2_00A5E610	14_2_00A5E610
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 14_2_069854C8	14_2_069854C8

PE / OLE file has an invalid certificate

Source: Shipping-Document.exe

Static PE information: invalid certificate

PE file contains strange resources

Source: Shipping-Document.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vlc.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Shipping-Document.exe, 00000000.00000002.293468023.0000000003B77000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClassLibrary3.dll< vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000000.00000002.290016295.00000000029B9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename" vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000000.00000002.292894367.0000000003997000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameEeyxsdnaklophm.dll4 vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000000.00000002.288880734.00000000005C2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUlzzwremyvkd6.exe< vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000000.00000002.298541463.0000000006FD0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000003.00000002.283415905.0000000000562000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUlzzwremyvkd6.exe< vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000005.00000000.284472154.0000000000B02000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUlzzwremyvkd6.exe< vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000005.00000002.489874672.0000000005310000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000005.00000002.488191884.0000000003DE1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIonic.Zip.dllD vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000005.00000002.474947911.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilename" vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000005.00000002.479489682.0000000000EF4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000005.00000002.492785493.0000000006090000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000005.00000002.494723433.0000000006E40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Shipping-Document.exe
Source: Shipping-Document.exe	Binary or memory string: OriginalFilenameUlzzwremyvkd6.exe< vs Shipping-Document.exe

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@25/10@7/3

Source: C:\Users\user\Desktop\Shipping-Document.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN

Source: C:\Users\user\Desktop\Shipping-Document.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping-Document.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\Shipping-Document.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR

Source: C:\Users\user\Desktop\Shipping-Document.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Shipping-Document.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Shipping-Document.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown	Process created: C:\Users\user\Desktop\Shipping-Document.exe 'C:\Users\user\Desktop\Shipping-Document.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Shipping-Document.exe C:\Users\user\Desktop\Shipping-Document.exe
Source: unknown	Process created: C:\Users\user\Desktop\Shipping-Document.exe C:\Users\user\Desktop\Shipping-Document.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process created: C:\Users\user\Desktop\Shipping-Document.exe C:\Users\user\Desktop\Shipping-Document.exe	Jump to behavior
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process created: C:\Users\user\Desktop\Shipping-Document.exe C:\Users\user\Desktop\Shipping-Document.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior

Source:	Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb source: Shipping-Document.exe, 00000005.00000002.488191884.0000000003DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.488378125.0000000003B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.488438717.0000000004091000.00000004.00000001.sdmp
Source:	Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb$# source: Shipping-Document.exe, 00000005.00000002.488191884.0000000003DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.488378125.0000000003B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.488438717.0000000004091000.00000004.00000001.sdmp

Source: Yara match	File source: Process Memory Space: Shipping-Document.exe PID: 1488, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 3440, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping-Document.exe PID: 1364, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 1748, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 1256, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 484, type: MEMORY

Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 5_2_05E83121 push ecx; iretd		5_2_05E83122
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 12_2_056C1C34 push 9400005Eh; ret		12_2_056C1C39

Source: Shipping-Document.exe, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: Shipping-Document.exe, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: vlc.exe.0.dr, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: vlc.exe.0.dr, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 0.0.Shipping-Document.exe.450000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 0.0.Shipping-Document.exe.450000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 0.2.Shipping-Document.exe.450000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 0.2.Shipping-Document.exe.450000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 3.2.Shipping-Document.exe.3f0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 3.2.Shipping-Document.exe.3f0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 3.0.Shipping-Document.exe.3f0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 3.0.Shipping-Document.exe.3f0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 5.0.Shipping-Document.exe.990000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 5.0.Shipping-Document.exe.990000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 5.2.Shipping-Document.exe.990000.1.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 5.2.Shipping-Document.exe.990000.1.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 12.2.vlc.exe.be0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 12.2.vlc.exe.be0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 12.0.vlc.exe.be0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 12.0.vlc.exe.be0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 14.0.vlc.exe.b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 14.0.vlc.exe.b0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 14.2.vlc.exe.b0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 14.2.vlc.exe.b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 17.2.vlc.exe.4b0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 17.2.vlc.exe.4b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 17.0.vlc.exe.4b0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 17.0.vlc.exe.4b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 18.0.vlc.exe.230000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 18.0.vlc.exe.230000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 18.2.vlc.exe.230000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 18.2.vlc.exe.230000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 19.0.vlc.exe.90000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 19.0.vlc.exe.90000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 19.2.vlc.exe.90000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 19.2.vlc.exe.90000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 20.2.vlc.exe.190000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 20.2.vlc.exe.190000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 20.0.vlc.exe.190000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 20.0.vlc.exe.190000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'

Source: C:\Users\user\Desktop\Shipping-Document.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlc			Jump to behavior
Source: C:\Users\user\Desktop\Shipping-Document.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlc			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Shipping-Document.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File Volume queried: C:\ FullSizeInformation

Source: Shipping-Document.exe, 00000005.00000002.492662455.0000000005EC9000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: Shipping-Document.exe, 00000005.00000002.492785493.0000000006090000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.492862252.0000000005DB0000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.492662913.0000000006330000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vlc.exe, 0000001A.00000002.475038821.0000000000402000.00000040.00000001.sdmp	Binary or memory string: EnableAntiVMware
Source: Shipping-Document.exe, 00000005.00000002.492785493.0000000006090000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.492862252.0000000005DB0000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.492662913.0000000006330000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Shipping-Document.exe, 00000005.00000002.492785493.0000000006090000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.492862252.0000000005DB0000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.492662913.0000000006330000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Shipping-Document.exe, 00000005.00000002.492662455.0000000005EC9000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareMicrosoft Basic Display AdapterWin32_VideoControllerMicrosoft Basic Display AdapterVideoController120060621000000.000000-00052351491display.infMSBDAMicrosoft Basic Display AdapterPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsVMwareu8
Source: Shipping-Document.exe, 00000005.00000002.492262599.0000000005E90000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.481282122.0000000001303000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Shipping-Document.exe, 00000005.00000002.492785493.0000000006090000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.492862252.0000000005DB0000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.492662913.0000000006330000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Shipping-Document.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process token adjusted: Debug

Source: Shipping-Document.exe, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: vlc.exe.0.dr, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 0.0.Shipping-Document.exe.450000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 0.2.Shipping-Document.exe.450000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 3.2.Shipping-Document.exe.3f0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 3.0.Shipping-Document.exe.3f0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 5.0.Shipping-Document.exe.990000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 5.2.Shipping-Document.exe.990000.1.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 12.2.vlc.exe.be0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 12.0.vlc.exe.be0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 14.0.vlc.exe.b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 14.2.vlc.exe.b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 17.2.vlc.exe.4b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 17.0.vlc.exe.4b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 18.0.vlc.exe.230000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 18.2.vlc.exe.230000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 19.0.vlc.exe.90000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 19.2.vlc.exe.90000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 20.2.vlc.exe.190000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 20.0.vlc.exe.190000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')

Source: C:\Users\user\Desktop\Shipping-Document.exe	Memory written: C:\Users\user\Desktop\Shipping-Document.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: Shipping-Document.exe, 00000005.00000002.482595709.00000000017B0000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.482874573.0000000001540000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.483586638.0000000001960000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Shipping-Document.exe, 00000005.00000002.482595709.00000000017B0000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.482874573.0000000001540000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.483586638.0000000001960000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Shipping-Document.exe, 00000005.00000002.482595709.00000000017B0000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.482874573.0000000001540000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.483586638.0000000001960000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Shipping-Document.exe, 00000005.00000002.482595709.00000000017B0000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.482874573.0000000001540000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.483586638.0000000001960000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Shipping-Document.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Source: Yara match	File source: 00000000.00000002.292894367.0000000003997000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.474961619.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.392005702.00000000048A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.401816626.00000000040ED000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.474947911.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.475038821.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.399837462.0000000004325000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.380082858.00000000048A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.285012492.0000000003F10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.411380915.0000000003515000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping-Document.exe PID: 1488, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 3440, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping-Document.exe PID: 1364, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 1748, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 1256, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 484, type: MEMORY
Source: Yara match	File source: 26.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Shipping-Document.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE

Source: Yara match	File source: 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping-Document.exe PID: 1488, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 1256, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 484, type: MEMORY

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
54.243.164.148	unknown	United States		14618	AMAZON-AESUS	false
54.235.142.93	unknown	United States		14618	AMAZON-AESUS	false

Analysis Report Shipping-Document.com

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Name	IP	Active
elb097307-934924932.us-east-1.elb.amazonaws.com	54.243.164.148	true
api.ipify.org	unknown	unknown
cdn.onenote.net	unknown	unknown

ID:	321421
Product:	CloudBasic
Start time:	22:20:25
Start date:	21.11.2020
Sample:	Shipping-Document.com
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	47f1684c0075aea74bb225586d55b6e3
SHA1:	7198622c341f1f6982eb20ac7a431508289df924
SHA256:	58ba104e01f9650518e256c03102a8105428e761988ce5905de77cd45a53ad90
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\AEC365839D\Log.txt	ASCII text, with CRLF line terminators	C34F8BF4E27BB68FA0108BC5A5712E24	FC0B4511A39BD5178205D175D4C548ACED69AF23	D11FCFABCA1A007F95CCB792F723CF6CC6DE29816E16F50330EAC19D4F54127D
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping-Document.exe.log	ASCII text, with CRLF line terminators	3197B1D4714B56F2A6AC9E83761739AE	3B38010F0DF51C1D4D2C020138202DABB686741D	40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vlc.exe.log	ASCII text, with CRLF line terminators	3197B1D4714B56F2A6AC9E83761739AE	3B38010F0DF51C1D4D2C020138202DABB686741D	40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
C:\Users\user\AppData\Local\Temp\DotNetZip-3hg33bsx.tmp	Zip archive data, at least v2.0 to extract	DBCE34334D5F6D7582E247A4101BD020	C0D92A5B3A595721D0708901B4EDA33306DAC714	6CB6784E1A1BB42526FAC9DC4A7EA512EABE2764078BDEE866FC0126A25C4E30
C:\Users\user\AppData\Local\Temp\DotNetZip-4b2ut3ef.tmp	Zip archive data, at least v2.0 to extract	8132E6EA831C1B6BE4BD2291AADB6039	D976FFAA6CD0E120B8776CFAFB09D7B716ADEEC6	F530344314CBD18FAD28D37A886B9597EC8DA7497B13EFD859A0D1048CC68F0C
C:\Users\user\AppData\Local\Temp\DotNetZip-fu3v0fes.tmp	Zip archive data, at least v2.0 to extract	018370A0F32AFAE7CD5FA0B7CA08BF33	F4A3ABD2679619E0476A65D01D090B6F97064F27	C48C00649DE76CF63D8ED975D6C6926F5E12E46559EFD3F329AF19576AAFF383
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	47F1684C0075AEA74BB225586D55B6E3	7198622C341F1F6982EB20AC7A431508289DF924	58BA104E01F9650518E256C03102A8105428E761988CE5905DE77CD45A53AD90
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309