Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Shipping-Document.com

Overview

General Information

Sample Name:Shipping-Document.com (renamed file extension from com to exe)
Analysis ID:321421
MD5:47f1684c0075aea74bb225586d55b6e3
SHA1:7198622c341f1f6982eb20ac7a431508289df924
SHA256:58ba104e01f9650518e256c03102a8105428e761988ce5905de77cd45a53ad90

Most interesting Screenshot:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected MassLogger RAT
.NET source code references suspicious native API functions
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Shipping-Document.exe (PID: 1364 cmdline: 'C:\Users\user\Desktop\Shipping-Document.exe' MD5: 47F1684C0075AEA74BB225586D55B6E3)
    • Shipping-Document.exe (PID: 3420 cmdline: C:\Users\user\Desktop\Shipping-Document.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)
    • Shipping-Document.exe (PID: 1488 cmdline: C:\Users\user\Desktop\Shipping-Document.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)
  • vlc.exe (PID: 1748 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: 47F1684C0075AEA74BB225586D55B6E3)
    • vlc.exe (PID: 2792 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)
    • vlc.exe (PID: 6052 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)
    • vlc.exe (PID: 1872 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)
    • vlc.exe (PID: 4472 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)
    • vlc.exe (PID: 5352 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)
    • vlc.exe (PID: 1256 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)
  • vlc.exe (PID: 3440 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: 47F1684C0075AEA74BB225586D55B6E3)
    • vlc.exe (PID: 1012 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)
    • vlc.exe (PID: 4832 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)
    • vlc.exe (PID: 484 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"Config: ": ["00000000 -> <|| v2.4.0.0 ||>", "User Name: user", "IP: 84.17.52.25", "Location: United States", "Windows OS: Microsoft Windows 10 Pro 64bit", "Windows Serial Key: VG7NF-BJ77Y-WRF7X-GJVW7-H3M8T", "CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "GPU: Microsoft Basic Display Adapter", "AV: Windows Defender", "Screen Resolution: 1280x1024", "Current Time: 11/21/2020 10:23:00 PM", "MassLogger Started: 11/21/2020 10:22:56 PM", "Interval: 2 hour", "MassLogger Process: C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe", "MassLogger Melt: false", "MassLogger Exit after delivery: false", "As Administrator: True", "Processes:", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "<|| WD Exclusion ||>", "Disabled", "<|| Binder ||>", "Disabled", "<|| Downloader ||>", "Disabled", "<|| Window Searcher ||>", "Disabled", "<|| Bot Killer ||>", "Disabled", "<|| Search And Upload ||>", "Disabled", "<|| Telegram Desktop ||>", "Not Installed", "<|| Pidgin ||>", "Not Installed", "<|| FileZilla ||>", "Not Installed", "<|| Discord Tokken ||>", "Not Installed", "<|| NordVPN ||>", "Not Installed", "<|| Outlook ||>", "Not Installed", "<|| FoxMail ||>", "Not Installed", "<|| Thunderbird ||>", "Not Installed", "<|| FireFox ||>", "Not Installed", "<|| QQ Browser ||>", "Not Installed", "<|| Chromium Recovery ||>", "Not Installed or Not Found", "<|| Keylogger And Clipboard ||>", "NA"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.292894367.0000000003997000.00000004.00000001.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
        00000016.00000002.474961619.0000000000402000.00000040.00000001.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          0000000C.00000003.392005702.00000000048A0000.00000004.00000001.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            Click to see the 23 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            26.2.vlc.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
              5.2.Shipping-Document.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
                22.2.vlc.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: Log.txt.26.dr.binstrMalware Configuration Extractor: MassLogger {"Config: ": ["00000000 -> <|| v2.4.0.0 ||>", "User Name: user", "IP: 84.17.52.25", "Location: United States", "Windows OS: Microsoft Windows 10 Pro 64bit", "Windows Serial Key: VG7NF-BJ77Y-WRF7X-GJVW7-H3M8T", "CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "GPU: Microsoft Basic Display Adapter", "AV: Windows Defender", "Screen Resolution: 1280x1024", "Current Time: 11/21/2020 10:23:00 PM", "MassLogger Started: 11/21/2020 10:22:56 PM", "Interval: 2 hour", "MassLogger Process: C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe", "MassLogger Melt: false", "MassLogger Exit after delivery: false", "As Administrator: True", "Processes:", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "<|| WD Exclusion ||>", "Disabled", "<|| Binder ||>", "Disabled", "<|| Downloader ||>", "Disabled", "<|| Window Searcher ||>", "Disabled", "<|| Bot Killer ||>", "Disabled", "<|| Search And Upload ||>", "Disabled", "<|| Telegram Desktop ||>", "Not Installed", "<|| Pidgin ||>", "Not Installed", "<|| FileZilla ||>", "Not Installed", "<|| Discord Tokken ||>", "Not Installed", "<|| NordVPN ||>", "Not Installed", "<|| Outlook ||>", "Not Installed", "<|| FoxMail ||>", "Not Installed", "<|| Thunderbird ||>", "Not Installed", "<|| FireFox ||>", "Not Installed", "<|| QQ Browser ||>", "Not Installed", "<|| Chromium Recovery ||>", "Not Installed or Not Found", "<|| Keylogger And Clipboard ||>", "NA"]}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeVirustotal: Detection: 20%Perma Link
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeReversingLabs: Detection: 20%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: Shipping-Document.exeVirustotal: Detection: 20%Perma Link
                  Source: Shipping-Document.exeReversingLabs: Detection: 20%
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior

                  Networking:

                  barindex
                  May check the online IP address of the machineShow sources
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 54.243.164.148 54.243.164.148
                  Source: Joe Sandbox ViewIP Address: 54.243.164.148 54.243.164.148
                  Source: Joe Sandbox ViewIP Address: 54.235.142.93 54.235.142.93
                  Source: Joe Sandbox ViewIP Address: 54.235.142.93 54.235.142.93
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                  Source: Shipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmpString found in binary or memory: fUsage: https://www.youtube.com/watch?v=Qxk6cu21JSg equals www.youtube.com (Youtube)
                  Source: unknownDNS traffic detected: queries for: api.ipify.org
                  Source: Shipping-Document.exe, 00000005.00000002.485116357.0000000002FB4000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org
                  Source: Shipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org/
                  Source: Shipping-Document.exe, 00000005.00000002.484657984.0000000002EDA000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.485932807.0000000002D0F000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.485514489.0000000003130000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org/P
                  Source: Shipping-Document.exe, 00000005.00000002.484657984.0000000002EDA000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.485932807.0000000002D0F000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.485514489.0000000003130000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org/p
                  Source: Shipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.orgD
                  Source: vlc.exe, 0000001A.00000002.485514489.0000000003130000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify8
                  Source: vlc.exe, 00000016.00000002.486012293.0000000002D1B000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify8R
                  Source: Shipping-Document.exe, 00000005.00000002.485070930.0000000002FAF000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify8v
                  Source: Shipping-Document.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                  Source: Shipping-Document.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                  Source: Shipping-Document.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: Shipping-Document.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                  Source: Shipping-Document.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                  Source: Shipping-Document.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                  Source: Shipping-Document.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: Shipping-Document.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                  Source: Shipping-Document.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                  Source: Shipping-Document.exeString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                  Source: Shipping-Document.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                  Source: Shipping-Document.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                  Source: Shipping-Document.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                  Source: Shipping-Document.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: Shipping-Document.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: Shipping-Document.exeString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                  Source: Shipping-Document.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                  Source: Shipping-Document.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                  Source: Shipping-Document.exe, 00000005.00000002.485116357.0000000002FB4000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.486045579.0000000002D20000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.485599592.0000000003142000.00000004.00000001.sdmpString found in binary or memory: http://elb097307-934924932.us-east-1.elb.amazonaws.com
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: Shipping-Document.exeString found in binary or memory: http://ocsp.digicert.com0A
                  Source: Shipping-Document.exeString found in binary or memory: http://ocsp.digicert.com0C
                  Source: Shipping-Document.exeString found in binary or memory: http://ocsp.digicert.com0L
                  Source: Shipping-Document.exeString found in binary or memory: http://ocsp.digicert.com0N
                  Source: Shipping-Document.exeString found in binary or memory: http://ocsp.digicert.com0O
                  Source: Shipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: vlc.exe, 0000001A.00000002.488438717.0000000004091000.00000004.00000001.sdmpString found in binary or memory: http://www.codeplex.com/DotNetZip
                  Source: Shipping-Document.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: Shipping-Document.exeString found in binary or memory: https://www.digicert.com/CPS0
                  Source: Shipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com/watch?v=Qxk6cu21JSg

                  System Summary:

                  barindex
                  Initial sample is a PE file and has a suspicious nameShow sources
                  Source: initial sampleStatic PE information: Filename: Shipping-Document.exe
                  Source: C:\Users\user\Desktop\Shipping-Document.exeCode function: 0_2_0278C1B40_2_0278C1B4
                  Source: C:\Users\user\Desktop\Shipping-Document.exeCode function: 0_2_0278E6100_2_0278E610
                  Source: C:\Users\user\Desktop\Shipping-Document.exeCode function: 0_2_0278E6000_2_0278E600
                  Source: C:\Users\user\Desktop\Shipping-Document.exeCode function: 3_2_003F46673_2_003F4667
                  Source: C:\Users\user\Desktop\Shipping-Document.exeCode function: 5_2_009946675_2_00994667
                  Source: C:\Users\user\Desktop\Shipping-Document.exeCode function: 5_2_052707905_2_05270790
                  Source: C:\Users\user\Desktop\Shipping-Document.exeCode function: 5_2_052705075_2_05270507
                  Source: C:\Users\user\Desktop\Shipping-Document.exeCode function: 5_2_052705185_2_05270518
                  Source: C:\Users\user\Desktop\Shipping-Document.exeCode function: 5_2_052760FB5_2_052760FB
                  Source: C:\Users\user\Desktop\Shipping-Document.exeCode function: 5_2_069708185_2_06970818
                  Source: C:\Users\user\Desktop\Shipping-Document.exeCode function: 5_2_069765615_2_06976561
                  Source: C:\Users\user\Desktop\Shipping-Document.exeCode function: 5_2_069765685_2_06976568
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 12_2_00BE466712_2_00BE4667
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 12_2_0176C1B412_2_0176C1B4
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 12_2_0176E61012_2_0176E610
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 12_2_0176E60012_2_0176E600
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 12_2_08A454C812_2_08A454C8
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 14_2_000B466714_2_000B4667
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 14_2_00A5C1B414_2_00A5C1B4
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 14_2_00A5E60014_2_00A5E600
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 14_2_00A5E61014_2_00A5E610
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 14_2_069854C814_2_069854C8
                  Source: Shipping-Document.exeStatic PE information: invalid certificate
                  Source: Shipping-Document.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: vlc.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: Shipping-Document.exe, 00000000.00000002.293468023.0000000003B77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs Shipping-Document.exe
                  Source: Shipping-Document.exe, 00000000.00000002.290016295.00000000029B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilename" vs Shipping-Document.exe
                  Source: Shipping-Document.exe, 00000000.00000002.292894367.0000000003997000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEeyxsdnaklophm.dll4 vs Shipping-Document.exe
                  Source: Shipping-Document.exe, 00000000.00000002.288880734.00000000005C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUlzzwremyvkd6.exe< vs Shipping-Document.exe
                  Source: Shipping-Document.exe, 00000000.00000002.298541463.0000000006FD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Shipping-Document.exe
                  Source: Shipping-Document.exe, 00000003.00000002.283415905.0000000000562000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUlzzwremyvkd6.exe< vs Shipping-Document.exe
                  Source: Shipping-Document.exe, 00000005.00000000.284472154.0000000000B02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUlzzwremyvkd6.exe< vs Shipping-Document.exe
                  Source: Shipping-Document.exe, 00000005.00000002.489874672.0000000005310000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Shipping-Document.exe
                  Source: Shipping-Document.exe, 00000005.00000002.488191884.0000000003DE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIonic.Zip.dllD vs Shipping-Document.exe
                  Source: Shipping-Document.exe, 00000005.00000002.474947911.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilename" vs Shipping-Document.exe
                  Source: Shipping-Document.exe, 00000005.00000002.479489682.0000000000EF4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Shipping-Document.exe
                  Source: Shipping-Document.exe, 00000005.00000002.492785493.0000000006090000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Shipping-Document.exe
                  Source: Shipping-Document.exe, 00000005.00000002.494723433.0000000006E40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Shipping-Document.exe
                  Source: Shipping-Document.exeBinary or memory string: OriginalFilenameUlzzwremyvkd6.exe< vs Shipping-Document.exe
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@25/10@7/3
                  Source: C:\Users\user\Desktop\Shipping-Document.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeFile created: C:\Users\user\AppData\Local\Temp\DotNetZip-fu3v0fes.tmpJump to behavior
                  Source: Shipping-Document.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\Shipping-Document.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\Shipping-Document.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
                  Source: C:\Users\user\Desktop\Shipping-Document.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: Shipping-Document.exeVirustotal: Detection: 20%
                  Source: Shipping-Document.exeReversingLabs: Detection: 20%
                  Source: C:\Users\user\Desktop\Shipping-Document.exeFile read: C:\Users\user\Desktop\Shipping-Document.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\Shipping-Document.exe 'C:\Users\user\Desktop\Shipping-Document.exe'
                  Source: unknownProcess created: C:\Users\user\Desktop\Shipping-Document.exe C:\Users\user\Desktop\Shipping-Document.exe
                  Source: unknownProcess created: C:\Users\user\Desktop\Shipping-Document.exe C:\Users\user\Desktop\Shipping-Document.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess created: C:\Users\user\Desktop\Shipping-Document.exe C:\Users\user\Desktop\Shipping-Document.exeJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess created: C:\Users\user\Desktop\Shipping-Document.exe C:\Users\user\Desktop\Shipping-Document.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\Shipping-Document.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Shipping-Document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Shipping-Document.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: Shipping-Document.exeStatic file information: File size 1631688 > 1048576
                  Source: Shipping-Document.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x16ec00
                  Source: Shipping-Document.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb source: Shipping-Document.exe, 00000005.00000002.488191884.0000000003DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.488378125.0000000003B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.488438717.0000000004091000.00000004.00000001.sdmp
                  Source: Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb$# source: Shipping-Document.exe, 00000005.00000002.488191884.0000000003DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.488378125.0000000003B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.488438717.0000000004091000.00000004.00000001.sdmp

                  Data Obfuscation:

                  barindex
                  Yara detected Costura Assembly LoaderShow sources
                  Source: Yara matchFile source: Process Memory Space: Shipping-Document.exe PID: 1488, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 3440, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipping-Document.exe PID: 1364, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 1748, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 1256, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 484, type: MEMORY
                  Source: C:\Users\user\Desktop\Shipping-Document.exeCode function: 5_2_05E83121 push ecx; iretd 5_2_05E83122
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 12_2_056C1C34 push 9400005Eh; ret 12_2_056C1C39
                  Source: Shipping-Document.exe, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.csHigh entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
                  Source: Shipping-Document.exe, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csHigh entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
                  Source: vlc.exe.0.dr, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.csHigh entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
                  Source: vlc.exe.0.dr, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csHigh entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
                  Source: 0.0.Shipping-Document.exe.450000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csHigh entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
                  Source: 0.0.Shipping-Document.exe.450000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.csHigh entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
                  Source: 0.2.Shipping-Document.exe.450000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csHigh entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
                  Source: 0.2.Shipping-Document.exe.450000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.csHigh entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
                  Source: 3.2.Shipping-Document.exe.3f0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csHigh entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
                  Source: 3.2.Shipping-Document.exe.3f0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.csHigh entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
                  Source: 3.0.Shipping-Document.exe.3f0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csHigh entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
                  Source: 3.0.Shipping-Document.exe.3f0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.csHigh entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
                  Source: 5.0.Shipping-Document.exe.990000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.csHigh entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
                  Source: 5.0.Shipping-Document.exe.990000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csHigh entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
                  Source: 5.2.Shipping-Document.exe.990000.1.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.csHigh entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
                  Source: 5.2.Shipping-Document.exe.990000.1.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csHigh entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
                  Source: 12.2.vlc.exe.be0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csHigh entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
                  Source: 12.2.vlc.exe.be0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.csHigh entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
                  Source: 12.0.vlc.exe.be0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csHigh entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
                  Source: 12.0.vlc.exe.be0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.csHigh entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
                  Source: 14.0.vlc.exe.b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csHigh entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
                  Source: 14.0.vlc.exe.b0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.csHigh entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
                  Source: 14.2.vlc.exe.b0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.csHigh entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
                  Source: 14.2.vlc.exe.b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csHigh entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
                  Source: 17.2.vlc.exe.4b0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.csHigh entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
                  Source: 17.2.vlc.exe.4b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csHigh entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
                  Source: 17.0.vlc.exe.4b0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.csHigh entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
                  Source: 17.0.vlc.exe.4b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csHigh entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
                  Source: 18.0.vlc.exe.230000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csHigh entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
                  Source: 18.0.vlc.exe.230000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.csHigh entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
                  Source: 18.2.vlc.exe.230000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csHigh entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
                  Source: 18.2.vlc.exe.230000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.csHigh entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
                  Source: 19.0.vlc.exe.90000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csHigh entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
                  Source: 19.0.vlc.exe.90000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.csHigh entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
                  Source: 19.2.vlc.exe.90000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csHigh entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
                  Source: 19.2.vlc.exe.90000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.csHigh entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
                  Source: 20.2.vlc.exe.190000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csHigh entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
                  Source: 20.2.vlc.exe.190000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.csHigh entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
                  Source: 20.0.vlc.exe.190000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csHigh entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
                  Source: 20.0.vlc.exe.190000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.csHigh entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
                  Source: C:\Users\user\Desktop\Shipping-Document.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Shipping-Document.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe\:Zone.Identifier:$DATAJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlcJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\Shipping-Document.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: Shipping-Document.exe, 00000000.00000002.289910761.0000000002941000.00000004.00000001.sdmp, Shipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 0000000C.00000002.396712522.00000000032D1000.00000004.00000001.sdmp, vlc.exe, 0000000E.00000002.409364765.00000000024E1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7200000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7199860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7199750Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7199610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7199500Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7199407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7199313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7199157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7199063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7198907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7198813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7198703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7198610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7198500Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7198360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7198250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7198157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7198063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7197953Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7197813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7197703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7197610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7197500Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7197407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7197313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7197157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7197063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7196953Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7196860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7196750Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7196610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7196500Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7196407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7196313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7196157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7196000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7195907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7195813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7195703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7195563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7195453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7195360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7195250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7195110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7195000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7194907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7194813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7194703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7194563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7194453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7194360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7194203Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7194110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7193860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7193703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7193610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7193516Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7193360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7193250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7192860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7192750Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7192657Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7192563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7192407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7192000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7191907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7191813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7191657Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7191563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7191453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7191360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7191250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7191110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7191016Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7190907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7190813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7190703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7190563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7190453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7190360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7190250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7190110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7190016Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7189907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7189813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7189703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7189563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7189453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7189360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7189250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7189157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7189063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7188907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7188813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7188703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7188610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7188516Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7188360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7188250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7188157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7188063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7187953Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7187813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7187703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7187610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7187500Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7187407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7187266Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7187157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7187063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7186953Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7186860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7186750Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7186610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7186500Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7186407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7186313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7186203Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7186063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7185953Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7185860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7185766Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7185657Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7185563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7185407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7185313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7185203Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7185110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7185000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7184860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7184750Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7184657Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7184563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7184453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7184313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7184203Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7184110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7184000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7183907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7183813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7183657Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7183563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7183453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7183360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7183250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7183110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7183000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7182907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7182813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7182703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7182563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7182453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7182360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7182250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7182157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7182063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7181907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7181813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7181703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7181610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7181500Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7181360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7181250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7181157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7181063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7180953Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7180813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7180703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7180610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7180500Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7180407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7180313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7180157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7180063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7179953Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7179860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7179750Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7179610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7179500Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7179407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7179313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7179203Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7179063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7178953Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7178860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7178750Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7178657Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7178563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7178407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7178313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7178203Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7178110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7178000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7177860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7177750Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7177657Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7177563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7177453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7177313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7177203Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7177110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7177000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7176907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7176813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7176657Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7176563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7176360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7176250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7176110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7176000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7175907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7175813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7175703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7175360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7175250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7175157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7175063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7174703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7174610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7174313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7174157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7174063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7173953Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7173813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7173703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7173610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7173500Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7173407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7173313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7173157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7173063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7172953Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7172860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7172750Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7172610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7172500Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7172407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7172313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7172203Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7172063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7171953Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7171860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7171750Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7171657Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7171563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7171407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7171313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7171203Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7171110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7171000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7170860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7170750Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7170657Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7170563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7170453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7170313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7170203Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7170110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7170000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7169907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7169813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7169657Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7169563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7169453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7169360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7169250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7169110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7169000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7168907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7168813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7168703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7168563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7168453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7168360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7168250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7168157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7168000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7167907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7167813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7167703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7167563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7167453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7167360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7167250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7167157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7167063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7166907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7166813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7166703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7166610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7166500Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7166360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7166250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7166157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7166063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7165953Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7165813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7165703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7165610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7165500Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7165407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7165313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7165157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7165063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7164953Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7164860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7164750Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7164610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7164500Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7164407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7164313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7164203Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7164063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7163953Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7163860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7163750Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7163657Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7163563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7163407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7163313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7163203Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7163110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7163000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7162860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7162750Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7162657Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7162563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7162453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7162313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7162203Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7162110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7162000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7161907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7161813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7161657Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7161563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7161453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7161360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7161250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7161110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7161000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7160907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7160813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7160703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7160563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7160453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7160360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7160250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7160157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7160063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7159907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7159813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7159703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7159610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7159500Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7159360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7159250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7159157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7159063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7158953Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7158813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7158703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7158610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7158453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7158313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7158203Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7158110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7158000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7157907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7157813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7157407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7157313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7157157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7157063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7156360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7156250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7156110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7156000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7155907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7155813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7155703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7155563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7155453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7155360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7155250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7155157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7155063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7154907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7154813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7154703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7154610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7154500Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7154360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7154250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7154157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7154063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7153953Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7153813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7153703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7153610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7153500Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7153407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7153313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7153157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7153063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7152953Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7152860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7152750Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7152610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7152500Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7152407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7152313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7152203Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7152063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7151953Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7151860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7151750Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7151657Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7151563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7151407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7151313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7151203Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7151110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7151000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7150860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7150750Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7150657Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7150563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7150453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7150313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7150203Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7150110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7150000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7149907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7149813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7149657Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7149563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7149453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7149360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7149250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7149110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7149000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7148907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7148813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7148703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7148563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7148453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7148360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7148250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7148157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7148063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7147907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7147813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7147703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7147610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7147500Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7147360Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7147250Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7147157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7147063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7146953Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7146813Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7146703Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7146610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7146500Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7146407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7146313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7146157Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7146063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7145953Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7145860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7145750Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7145610Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7145500Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7145407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7145313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7145203Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7145063Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7144953Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7144860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7144750Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7144657Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7144563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7144407Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7144313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7144203Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7144110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7144000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7143860Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7143750Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7143657Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7143563Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7143453Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7143313Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7143203Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7143110Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7143000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeThread delayed: delay time: 7142907Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeWindow / User API: threadDelayed 409Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 1956Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7200000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7199860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7199750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7199610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7199500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7199407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7199313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7199157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7199063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7198907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7198813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7198703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7198610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7198500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7198360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7198250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7198157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7198063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7197953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7197813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7197703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7197610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7197500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7197407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7197313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7197157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7197063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7196953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7196860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7196750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7196610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7196500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7196407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7196313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7196157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7196000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7195907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7195813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7195703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7195563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7195453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7195360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7195250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7195110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7195000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7194907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7194813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7194703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7194563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7194453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7194360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7194203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7194110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7193860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7193703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7193610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7193516s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7193360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7193250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7192860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7192750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7192657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7192563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7192407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7192000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7191907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7191813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7191657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7191563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7191453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7191360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7191250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7191110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7191016s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7190907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7190813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7190703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7190563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7190453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7190360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7190250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7190110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7190016s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7189907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7189813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7189703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7189563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7189453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7189360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7189250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7189157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7189063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7188907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7188813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7188703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7188610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7188516s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7188360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7188250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7188157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7188063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7187953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7187813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7187703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7187610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7187500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7187407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7187266s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7187157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7187063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7186953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7186860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7186750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7186610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7186500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7186407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7186313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7186203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7186063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7185953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7185860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7185766s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7185657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7185563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7185407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7185313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7185203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7185110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7185000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7184860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7184750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7184657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7184563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7184453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7184313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7184203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7184110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7184000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7183907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7183813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7183657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7183563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7183453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7183360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7183250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7183110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7183000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7182907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7182813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7182703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7182563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7182453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7182360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7182250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7182157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7182063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7181907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7181813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7181703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7181610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7181500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7181360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7181250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7181157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7181063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7180953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7180813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7180703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7180610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7180500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7180407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7180313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7180157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7180063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7179953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7179860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7179750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7179610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7179500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7179407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7179313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7179203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7179063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7178953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7178860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7178750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7178657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7178563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7178407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7178313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7178203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7178110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7178000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7177860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7177750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7177657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7177563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7177453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7177313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7177203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7177110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7177000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7176907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7176813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7176657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7176563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7176360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7176250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7176110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7176000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7175907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7175813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7175703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7175360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7175250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7175157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7175063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7174703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7174610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7174313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7174157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7174063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7173953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7173813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7173703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7173610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7173500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7173407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7173313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7173157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7173063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7172953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7172860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7172750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7172610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7172500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7172407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7172313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7172203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7172063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7171953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7171860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7171750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7171657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7171563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7171407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7171313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7171203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7171110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7171000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7170860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7170750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7170657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7170563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7170453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7170313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7170203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7170110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7170000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7169907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7169813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7169657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7169563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7169453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7169360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7169250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7169110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7169000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7168907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7168813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7168703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7168563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7168453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7168360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7168250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7168157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7168000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7167907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7167813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7167703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7167563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7167453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7167360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7167250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7167157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7167063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7166907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7166813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7166703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7166610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7166500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7166360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7166250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7166157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7166063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7165953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7165813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7165703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7165610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7165500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7165407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7165313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7165157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7165063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7164953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7164860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7164750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7164610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7164500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7164407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7164313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7164203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7164063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7163953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7163860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7163750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7163657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7163563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7163407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7163313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7163203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7163110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7163000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7162860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7162750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7162657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7162563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7162453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7162313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7162203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7162110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7162000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7161907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7161813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7161657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7161563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7161453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7161360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7161250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7161110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7161000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7160907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7160813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7160703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7160563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7160453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7160360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7160250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7160157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7160063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7159907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7159813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7159703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7159610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7159500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7159360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7159250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7159157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7159063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7158953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7158813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7158703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7158610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7158453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7158313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7158203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7158110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7158000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7157907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7157813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7157407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7157313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7157157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7157063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7156360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7156250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7156110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7156000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7155907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7155813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7155703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7155563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7155453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7155360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7155250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7155157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7155063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7154907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7154813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7154703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7154610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7154500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7154360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7154250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7154157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7154063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7153953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7153813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7153703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7153610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7153500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7153407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7153313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7153157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7153063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7152953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7152860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7152750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7152610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7152500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7152407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7152313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7152203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7152063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7151953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7151860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7151750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7151657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7151563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7151407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7151313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7151203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7151110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7151000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7150860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7150750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7150657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7150563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7150453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7150313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7150203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7150110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7150000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7149907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7149813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7149657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7149563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7149453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7149360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7149250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7149110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7149000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7148907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7148813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7148703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7148563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7148453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7148360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7148250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7148157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7148063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7147907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7147813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7147703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7147610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7147500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7147360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7147250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7147157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7147063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7146953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7146813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7146703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7146610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7146500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7146407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7146313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7146157s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7146063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7145953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7145860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7145750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7145610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7145500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7145407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7145313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7145203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7145063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7144953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7144860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7144750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7144657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7144563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7144407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7144313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7144203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7144110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7144000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7143860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7143750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7143657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7143563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7143453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7143313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7143203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7143110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7143000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452Thread sleep time: -7142907s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\Shipping-Document.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: Shipping-Document.exe, 00000005.00000002.492662455.0000000005EC9000.00000004.00000001.sdmpBinary or memory string: VMware
                  Source: Shipping-Document.exe, 00000005.00000002.492785493.0000000006090000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.492862252.0000000005DB0000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.492662913.0000000006330000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                  Source: vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: vlc.exe, 0000001A.00000002.475038821.0000000000402000.00000040.00000001.sdmpBinary or memory string: EnableAntiVMware
                  Source: Shipping-Document.exe, 00000005.00000002.492785493.0000000006090000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.492862252.0000000005DB0000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.492662913.0000000006330000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                  Source: Shipping-Document.exe, 00000005.00000002.492785493.0000000006090000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.492862252.0000000005DB0000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.492662913.0000000006330000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                  Source: Shipping-Document.exe, 00000005.00000002.492662455.0000000005EC9000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareMicrosoft Basic Display AdapterWin32_VideoControllerMicrosoft Basic Display AdapterVideoController120060621000000.000000-00052351491display.infMSBDAMicrosoft Basic Display AdapterPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsVMwareu8
                  Source: Shipping-Document.exe, 00000005.00000002.492262599.0000000005E90000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.481282122.0000000001303000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: Shipping-Document.exe, 00000005.00000002.492785493.0000000006090000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.492862252.0000000005DB0000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.492662913.0000000006330000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\Shipping-Document.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  .NET source code references suspicious native API functionsShow sources
                  Source: Shipping-Document.exe, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csReference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
                  Source: vlc.exe.0.dr, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csReference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
                  Source: 0.0.Shipping-Document.exe.450000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csReference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
                  Source: 0.2.Shipping-Document.exe.450000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csReference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
                  Source: 3.2.Shipping-Document.exe.3f0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csReference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
                  Source: 3.0.Shipping-Document.exe.3f0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csReference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
                  Source: 5.0.Shipping-Document.exe.990000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csReference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
                  Source: 5.2.Shipping-Document.exe.990000.1.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csReference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
                  Source: 12.2.vlc.exe.be0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csReference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
                  Source: 12.0.vlc.exe.be0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csReference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
                  Source: 14.0.vlc.exe.b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csReference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
                  Source: 14.2.vlc.exe.b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csReference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
                  Source: 17.2.vlc.exe.4b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csReference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
                  Source: 17.0.vlc.exe.4b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csReference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
                  Source: 18.0.vlc.exe.230000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csReference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
                  Source: 18.2.vlc.exe.230000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csReference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
                  Source: 19.0.vlc.exe.90000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csReference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
                  Source: 19.2.vlc.exe.90000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csReference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
                  Source: 20.2.vlc.exe.190000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csReference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
                  Source: 20.0.vlc.exe.190000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.csReference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\Shipping-Document.exeMemory written: C:\Users\user\Desktop\Shipping-Document.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess created: C:\Users\user\Desktop\Shipping-Document.exe C:\Users\user\Desktop\Shipping-Document.exeJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeProcess created: C:\Users\user\Desktop\Shipping-Document.exe C:\Users\user\Desktop\Shipping-Document.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJump to behavior
                  Source: Shipping-Document.exe, 00000005.00000002.482595709.00000000017B0000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.482874573.0000000001540000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.483586638.0000000001960000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: Shipping-Document.exe, 00000005.00000002.482595709.00000000017B0000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.482874573.0000000001540000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.483586638.0000000001960000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: Shipping-Document.exe, 00000005.00000002.482595709.00000000017B0000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.482874573.0000000001540000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.483586638.0000000001960000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: Shipping-Document.exe, 00000005.00000002.482595709.00000000017B0000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.482874573.0000000001540000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.483586638.0000000001960000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\Shipping-Document.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductIdJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Users\user\Desktop\Shipping-Document.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Users\user\Desktop\Shipping-Document.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping-Document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeCode function: 12_2_08A44570 GetUserNameA,12_2_08A44570
                  Source: C:\Users\user\Desktop\Shipping-Document.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: vlc.exe, 0000001A.00000002.481282122.0000000001303000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Users\user\Desktop\Shipping-Document.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected MassLogger RATShow sources
                  Source: Yara matchFile source: 00000000.00000002.292894367.0000000003997000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.474961619.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000003.392005702.00000000048A0000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000003.401816626.00000000040ED000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.474947911.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001A.00000002.475038821.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.399837462.0000000004325000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000003.380082858.00000000048A0000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.285012492.0000000003F10000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.411380915.0000000003515000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipping-Document.exe PID: 1488, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 3440, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipping-Document.exe PID: 1364, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 1748, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 1256, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 484, type: MEMORY
                  Source: Yara matchFile source: 26.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Shipping-Document.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\Desktop\Shipping-Document.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipping-Document.exe PID: 1488, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 1256, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 484, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected MassLogger RATShow sources
                  Source: Yara matchFile source: 00000000.00000002.292894367.0000000003997000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000016.00000002.474961619.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000003.392005702.00000000048A0000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000003.401816626.00000000040ED000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.474947911.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001A.00000002.475038821.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.399837462.0000000004325000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000003.380082858.00000000048A0000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.285012492.0000000003F10000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.411380915.0000000003515000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipping-Document.exe PID: 1488, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 3440, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipping-Document.exe PID: 1364, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 1748, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 1256, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vlc.exe PID: 484, type: MEMORY
                  Source: Yara matchFile source: 26.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Shipping-Document.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 22.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation121Registry Run Keys / Startup Folder11Process Injection112Disable or Modify Tools1OS Credential Dumping1Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsNative API1Boot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder11Obfuscated Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Masquerading1Security Account ManagerSystem Information Discovery25SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion13NTDSSecurity Software Discovery331Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection112LSA SecretsVirtualization/Sandbox Evasion13SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                  Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Network Configuration Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321421 Sample: Shipping-Document.com Startdate: 21/11/2020 Architecture: WINDOWS Score: 100 41 cdn.onenote.net 2->41 61 Found malware configuration 2->61 63 Multi AV Scanner detection for dropped file 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 7 other signatures 2->67 7 Shipping-Document.exe 1 6 2->7         started        11 vlc.exe 2 2->11         started        13 vlc.exe 3 2->13         started        signatures3 process4 file5 35 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 7->35 dropped 37 C:\Users\user\...\vlc.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\...\Shipping-Document.exe.log, ASCII 7->39 dropped 69 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->69 71 Injects a PE file into a foreign processes 7->71 15 Shipping-Document.exe 15 5 7->15         started        19 Shipping-Document.exe 7->19         started        21 vlc.exe 11->21         started        23 vlc.exe 11->23         started        25 vlc.exe 11->25         started        27 vlc.exe 14 5 13->27         started        29 vlc.exe 13->29         started        31 vlc.exe 13->31         started        33 3 other processes 13->33 signatures6 process7 dnsIp8 43 elb097307-934924932.us-east-1.elb.amazonaws.com 54.243.164.148, 49721, 80 AMAZON-AESUS United States 15->43 45 192.168.2.1 unknown unknown 15->45 53 2 other IPs or domains 15->53 57 Tries to steal Mail credentials (via file access) 15->57 55 2 other IPs or domains 21->55 59 Tries to harvest and steal browser information (history, passwords, etc) 21->59 47 54.235.142.93, 49732, 49735, 80 AMAZON-AESUS United States 27->47 49 nagano-19599.herokussl.com 27->49 51 api.ipify.org 27->51 signatures9

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Shipping-Document.exe21%VirustotalBrowse
                  Shipping-Document.exe5%MetadefenderBrowse
                  Shipping-Document.exe21%ReversingLabsWin32.Trojan.Generic

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe21%VirustotalBrowse
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe5%MetadefenderBrowse
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe21%ReversingLabsWin32.Trojan.Generic

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  26.2.vlc.exe.400000.0.unpack100%AviraHEUR/AGEN.1139343Download File
                  5.2.Shipping-Document.exe.400000.0.unpack100%AviraHEUR/AGEN.1139343Download File
                  22.2.vlc.exe.400000.0.unpack100%AviraHEUR/AGEN.1139343Download File

                  Domains

                  SourceDetectionScannerLabelLink
                  cdn.onenote.net1%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://api.ipify80%URL Reputationsafe
                  http://api.ipify80%URL Reputationsafe
                  http://api.ipify80%URL Reputationsafe
                  http://api.ipify80%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://api.ipify8v0%Avira URL Cloudsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://api.ipify.orgD0%URL Reputationsafe
                  http://api.ipify.orgD0%URL Reputationsafe
                  http://api.ipify.orgD0%URL Reputationsafe
                  http://api.ipify.orgD0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://api.ipify8R0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  elb097307-934924932.us-east-1.elb.amazonaws.com
                  		54.243.164.148
                  		truefalse
                    		high
                    api.ipify.org
                    		unknown
                    		unknownfalse
                      		high
                      cdn.onenote.net
                      		unknown
                      		unknowntrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://api.ipify.org/false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.apache.org/licenses/LICENSE-2.0Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comShipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designersGShipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers/?Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/bTheShipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers?Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                  		high
                                  http://api.ipify.org/pShipping-Document.exe, 00000005.00000002.484657984.0000000002EDA000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.485932807.0000000002D0F000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.485514489.0000000003130000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.tiro.comvlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://elb097307-934924932.us-east-1.elb.amazonaws.comShipping-Document.exe, 00000005.00000002.485116357.0000000002FB4000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.486045579.0000000002D20000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.485599592.0000000003142000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.com/designersvlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                        		high
                                        http://api.ipify8vlc.exe, 0000001A.00000002.485514489.0000000003130000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.goodfont.co.krShipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://api.ipify8vShipping-Document.exe, 00000005.00000002.485070930.0000000002FAF000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.comlShipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://api.ipify.orgShipping-Document.exe, 00000005.00000002.485116357.0000000002FB4000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.sajatypeworks.comShipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.typography.netDShipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNShipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/cTheShipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmShipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://fontfabrik.comShipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cnShipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://api.ipify.orgDShipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlShipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.jiyu-kobo.co.jp/Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.galapagosdesign.com/DPleaseShipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://api.ipify.org/PShipping-Document.exe, 00000005.00000002.484657984.0000000002EDA000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.485932807.0000000002D0F000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.485514489.0000000003130000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.codeplex.com/DotNetZipvlc.exe, 0000001A.00000002.488438717.0000000004091000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designers8Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                                    		high
                                                    https://www.youtube.com/watch?v=Qxk6cu21JSgShipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.fonts.comShipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.sandoll.co.krShipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.urwpp.deDPleaseShipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.zhongyicts.com.cnShipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameShipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.sakkal.comShipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://api.ipify8Rvlc.exe, 00000016.00000002.486012293.0000000002D1B000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          54.243.164.148
                                                          		unknownUnited States
                                                          		14618AMAZON-AESUSfalse
                                                          54.235.142.93
                                                          		unknownUnited States
                                                          		14618AMAZON-AESUSfalse

                                                          Private

                                                          IP
                                                          192.168.2.1

                                                          General Information

                                                          Joe Sandbox Version:31.0.0 Red Diamond
                                                          Analysis ID:321421
                                                          Start date:21.11.2020
                                                          Start time:22:20:25
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 12m 10s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Sample file name:Shipping-Document.com (renamed file extension from com to exe)
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:34
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@25/10@7/3
                                                          EGA Information:
                                                          • Successful, ratio: 80%
                                                          HDC Information:
                                                          • Successful, ratio: 0.4% (good quality ratio 0.4%)
                                                          • Quality average: 71.6%
                                                          • Quality standard deviation: 29.9%
                                                          HCA Information:
                                                          • Successful, ratio: 95%
                                                          • Number of executed functions: 98
                                                          • Number of non-executed functions: 3
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                          • Excluded IPs from analysis (whitelisted): 104.43.193.48, 104.43.139.144, 51.11.168.160, 2.20.142.209, 2.20.142.210, 51.104.139.180, 92.122.213.194, 92.122.213.247, 20.54.26.129, 92.122.145.220, 104.108.60.202, 84.53.167.113
                                                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, e15275.g.akamaiedge.net, arc.msn.com, cdn.onenote.net.edgekey.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, wildcard.weather.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, e1553.dspg.akamaiedge.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net
                                                          • Execution Graph export aborted for target Shipping-Document.exe, PID 3420 because there are no executed function
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          22:21:51AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run vlc "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"
                                                          22:21:59AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run vlc "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"
                                                          22:22:14API Interceptor561x Sleep call for process: Shipping-Document.exe modified
                                                          22:22:52API Interceptor379x Sleep call for process: vlc.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          54.243.164.1481119_673423.docGet hashmaliciousBrowse
                                                          • api.ipify.org/
                                                          Rewgjqjhqwqn8.exeGet hashmaliciousBrowse
                                                          • api.ipify.org/
                                                          i3gRY0HYZn.exeGet hashmaliciousBrowse
                                                          • api.ipify.org/?format=xml
                                                          mWKfVsuSZAHcuCc.exeGet hashmaliciousBrowse
                                                          • api.ipify.org/
                                                          Catalogue.exeGet hashmaliciousBrowse
                                                          • api.ipify.org/
                                                          54.235.142.93RVAgYSH2qh.exeGet hashmaliciousBrowse
                                                          • api.ipify.org/?format=xml
                                                          BUILDING ORDER_PROPERTY SPECS.exeGet hashmaliciousBrowse
                                                          • api.ipify.org/
                                                          1118_8732615.docGet hashmaliciousBrowse
                                                          • api.ipify.org/
                                                          XN33CLWH.EXEGet hashmaliciousBrowse
                                                          • api.ipify.org/
                                                          Al-Hbb_Doc-EUR_Pdf.exeGet hashmaliciousBrowse
                                                          • api.ipify.org/
                                                          YV2q4nAPVQ.exeGet hashmaliciousBrowse
                                                          • api.ipify.org/
                                                          1105_748543.docGet hashmaliciousBrowse
                                                          • api.ipify.org/
                                                          174028911-035110-sanlccjavap0004-1.exeGet hashmaliciousBrowse
                                                          • api.ipify.org/
                                                          RFQ-NOV-2020.exeGet hashmaliciousBrowse
                                                          • api.ipify.org/
                                                          OZmn6gKEgi.exeGet hashmaliciousBrowse
                                                          • api.ipify.org/
                                                          WFDKJ4wsQ6.exeGet hashmaliciousBrowse
                                                          • api.ipify.org/

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          elb097307-934924932.us-east-1.elb.amazonaws.comQRN-CLJC-06112020149.PDF.exeGet hashmaliciousBrowse
                                                          • 54.243.161.145
                                                          yQDGREHA9h.exeGet hashmaliciousBrowse
                                                          • 54.235.83.248
                                                          mcsrXx9lfD.exeGet hashmaliciousBrowse
                                                          • 54.235.83.248
                                                          SecuriteInfo.com.Trojan.PackedNET.461.20928.exeGet hashmaliciousBrowse
                                                          • 23.21.42.25
                                                          Defender-update-kit-x86x64.exeGet hashmaliciousBrowse
                                                          • 54.225.153.147
                                                          https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-usGet hashmaliciousBrowse
                                                          • 54.225.66.103
                                                          ORDER.exeGet hashmaliciousBrowse
                                                          • 54.235.142.93
                                                          Bill # 2.xlsxGet hashmaliciousBrowse
                                                          • 23.21.42.25
                                                          PO1.xlsxGet hashmaliciousBrowse
                                                          • 174.129.214.20
                                                          a7UZzCVWKO.exeGet hashmaliciousBrowse
                                                          • 54.204.14.42
                                                          QKLQkaCe9M.exeGet hashmaliciousBrowse
                                                          • 50.19.252.36
                                                          sAPuJAvs52.exeGet hashmaliciousBrowse
                                                          • 54.243.161.145
                                                          JlgyVmPWZr.exeGet hashmaliciousBrowse
                                                          • 174.129.214.20
                                                          EIUOzWW2JX.exeGet hashmaliciousBrowse
                                                          • 174.129.214.20
                                                          RVAgYSH2qh.exeGet hashmaliciousBrowse
                                                          • 54.235.142.93
                                                          yCyc4rN0u8.exeGet hashmaliciousBrowse
                                                          • 54.235.83.248
                                                          9cXAnovmQX.exeGet hashmaliciousBrowse
                                                          • 54.225.66.103
                                                          T2HDck1Mmy.exeGet hashmaliciousBrowse
                                                          • 54.235.142.93
                                                          Purchase Order.exeGet hashmaliciousBrowse
                                                          • 54.225.66.103
                                                          Payment Advice Note from 19.11.2020.exeGet hashmaliciousBrowse
                                                          • 23.21.126.66

                                                          ASN

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          AMAZON-AESUSQRN-CLJC-06112020149.PDF.exeGet hashmaliciousBrowse
                                                          • 54.243.161.145
                                                          Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                          • 52.71.133.130
                                                          Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                          • 54.208.77.124
                                                          Fennec Pharma .docxGet hashmaliciousBrowse
                                                          • 54.84.56.113
                                                          Fennec Pharma .docxGet hashmaliciousBrowse
                                                          • 54.84.56.113
                                                          Fennec Pharma.xlsxGet hashmaliciousBrowse
                                                          • 54.84.56.113
                                                          Fennec Pharma.xlsxGet hashmaliciousBrowse
                                                          • 54.84.56.113
                                                          https://albanesebros.sendx.io/lp/shared-doc.htmlGet hashmaliciousBrowse
                                                          • 3.213.165.33
                                                          http://www.openair.comGet hashmaliciousBrowse
                                                          • 34.202.206.65
                                                          https://faxfax.zizera.com/remittanceadviceGet hashmaliciousBrowse
                                                          • 184.73.218.177
                                                          http://webnavigator.coGet hashmaliciousBrowse
                                                          • 34.235.7.64
                                                          https://mcmms.typeform.com/to/Vtnb9OBCGet hashmaliciousBrowse
                                                          • 34.200.62.85
                                                          yQDGREHA9h.exeGet hashmaliciousBrowse
                                                          • 54.235.83.248
                                                          mcsrXx9lfD.exeGet hashmaliciousBrowse
                                                          • 54.235.83.248
                                                          SecuriteInfo.com.Trojan.PackedNET.461.20928.exeGet hashmaliciousBrowse
                                                          • 23.21.42.25
                                                          Defender-update-kit-x86x64.exeGet hashmaliciousBrowse
                                                          • 54.225.153.147
                                                          https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-usGet hashmaliciousBrowse
                                                          • 54.225.66.103
                                                          ORDER.exeGet hashmaliciousBrowse
                                                          • 54.235.142.93
                                                          http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1Get hashmaliciousBrowse
                                                          • 52.1.99.77
                                                          Bill # 2.xlsxGet hashmaliciousBrowse
                                                          • 23.21.42.25
                                                          AMAZON-AESUSQRN-CLJC-06112020149.PDF.exeGet hashmaliciousBrowse
                                                          • 54.243.161.145
                                                          Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                          • 52.71.133.130
                                                          Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                          • 54.208.77.124
                                                          Fennec Pharma .docxGet hashmaliciousBrowse
                                                          • 54.84.56.113
                                                          Fennec Pharma .docxGet hashmaliciousBrowse
                                                          • 54.84.56.113
                                                          Fennec Pharma.xlsxGet hashmaliciousBrowse
                                                          • 54.84.56.113
                                                          Fennec Pharma.xlsxGet hashmaliciousBrowse
                                                          • 54.84.56.113
                                                          https://albanesebros.sendx.io/lp/shared-doc.htmlGet hashmaliciousBrowse
                                                          • 3.213.165.33
                                                          http://www.openair.comGet hashmaliciousBrowse
                                                          • 34.202.206.65
                                                          https://faxfax.zizera.com/remittanceadviceGet hashmaliciousBrowse
                                                          • 184.73.218.177
                                                          http://webnavigator.coGet hashmaliciousBrowse
                                                          • 34.235.7.64
                                                          https://mcmms.typeform.com/to/Vtnb9OBCGet hashmaliciousBrowse
                                                          • 34.200.62.85
                                                          yQDGREHA9h.exeGet hashmaliciousBrowse
                                                          • 54.235.83.248
                                                          mcsrXx9lfD.exeGet hashmaliciousBrowse
                                                          • 54.235.83.248
                                                          SecuriteInfo.com.Trojan.PackedNET.461.20928.exeGet hashmaliciousBrowse
                                                          • 23.21.42.25
                                                          Defender-update-kit-x86x64.exeGet hashmaliciousBrowse
                                                          • 54.225.153.147
                                                          https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-usGet hashmaliciousBrowse
                                                          • 54.225.66.103
                                                          ORDER.exeGet hashmaliciousBrowse
                                                          • 54.235.142.93
                                                          http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1Get hashmaliciousBrowse
                                                          • 52.1.99.77
                                                          Bill # 2.xlsxGet hashmaliciousBrowse
                                                          • 23.21.42.25

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\AEC365839D\Log.txt
                                                          Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1800
                                                          Entropy (8bit):5.4448188256893255
                                                          Encrypted:false
                                                          SSDEEP:24:GSZnNMZxaXok+/RV3kdZzM0f2uVM/viyJ1WhnGyJkdEiPv5J80:GSFAg+/RV3OZI0uuu6MchGJj5J80
                                                          MD5:C34F8BF4E27BB68FA0108BC5A5712E24
                                                          SHA1:FC0B4511A39BD5178205D175D4C548ACED69AF23
                                                          SHA-256:D11FCFABCA1A007F95CCB792F723CF6CC6DE29816E16F50330EAC19D4F54127D
                                                          SHA-512:DA6ECBCBC7F93487951101755D70B52404BAB1AA2EC3513B809DE2E9830FF9E153FCC608773BBB6ABA17706462F3DD3243A19A1F5F9449153949207D7AE8B1FA
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview: <|| v2.4.0.0 ||>..User Name: user..IP: 84.17.52.25..Location: United States..Windows OS: Microsoft Windows 10 Pro 64bit..Windows Serial Key: VG7NF-BJ77Y-WRF7X-GJVW7-H3M8T..CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..GPU: Microsoft Basic Display Adapter..AV: Windows Defender ..Screen Resolution: 1280x1024..Current Time: 11/21/2020 10:23:00 PM..MassLogger Started: 11/21/2020 10:22:56 PM..Interval: 2 hour..MassLogger Process: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe..MassLogger Melt: false..MassLogger Exit after delivery: false..As Administrator: True..Processes:..Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome..Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome..Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome..Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome..Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome..Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome..Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome..Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome..Name:nrsf
                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping-Document.exe.log
                                                          Process:C:\Users\user\Desktop\Shipping-Document.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:modified
                                                          Size (bytes):1119
                                                          Entropy (8bit):5.356708753875314
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                                                          MD5:3197B1D4714B56F2A6AC9E83761739AE
                                                          SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                                                          SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                                                          SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                                                          Malicious:true
                                                          Reputation:moderate, very likely benign file
                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vlc.exe.log
                                                          Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1119
                                                          Entropy (8bit):5.356708753875314
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                                                          MD5:3197B1D4714B56F2A6AC9E83761739AE
                                                          SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                                                          SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                                                          SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                                                          Malicious:false
                                                          Reputation:moderate, very likely benign file
                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                          C:\Users\user\AppData\Local\Temp\DotNetZip-3hg33bsx.tmp
                                                          Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          File Type:Zip archive data, at least v2.0 to extract
                                                          Category:dropped
                                                          Size (bytes):1313
                                                          Entropy (8bit):7.043036922524586
                                                          Encrypted:false
                                                          SSDEEP:24:9wqN/6fFjxKN/Ujj9/ewfbBI6Dt8kme/F0yZhFiR0/xnxN/UjjbZIKN/6fFjGZHb:9xN6NjoNUjj9/PDBHx8kme/7MR8xxNUV
                                                          MD5:DBCE34334D5F6D7582E247A4101BD020
                                                          SHA1:C0D92A5B3A595721D0708901B4EDA33306DAC714
                                                          SHA-256:6CB6784E1A1BB42526FAC9DC4A7EA512EABE2764078BDEE866FC0126A25C4E30
                                                          SHA-512:539FBA7D05E7481FBF47A58DB79CA5B74B706C0646BB23AE62F314DFBAF355395F5A16986D9B969B922FF111066045BFC63672DA79185BA64D72CAF08D4C9FE5
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview: PK.........uQ............2.$.user_United States_AEC365839D_11-21-2020 22.23.4/.. .........................v....PK.........uQ............9.$.user_United States_AEC365839D_11-21-2020 22.23.4/Log.txt.. ...............................[o.0...#.;..V.,d.*...@[...6..$..0qd;.N|..@..F...<..|.?...l.......`...:#...|...\G.\.../..W~.r.....*f0......[4.3.q...<..tD..Q3..k...VP*N.}c....../...r.....?r.~..=..O.....uj......._BMi..v.} ;.J...B.."...~.Q.F.P.&...*.O,j...Q_.g.G....B..C....>...m.._$....[..,K..g.~..(B..a$..q..7...srH....X.].vl..^s....J......aPcAV.....T...-....D<........s..q.....+..E..]..k..q....f\......g$.".b...U.....c5.J3....0...S.....=.I.5.<...h.7?Q*.DV[h......g...I..)...{..9t-.Tbt .bw.O...s,..p}..4V....AUe.AH...~7T..FIv.il...[E..,.J.T.....r.....\.g.....$.3...*..P-.x.Y..q.{.xL.TjyN..t..g.."..4.::..F.u.xz...yu..Ih.E"].P.U6.N...."CC...FzY.~.e.I.L.?*....7PK.........uQ...........9.$.user_United States_AEC365839D_11-21-2020 22.23.4/Log.txt.. .............
                                                          C:\Users\user\AppData\Local\Temp\DotNetZip-4b2ut3ef.tmp
                                                          Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          File Type:Zip archive data, at least v2.0 to extract
                                                          Category:dropped
                                                          Size (bytes):1317
                                                          Entropy (8bit):7.031494974591168
                                                          Encrypted:false
                                                          SSDEEP:24:93NzHNzdj6ETBEVZ/EVKkC71ETR6PaSAEjw1kaOIrENzSZXNzlZJpNzTil:93pHplrlGZ/XHXiPEjw11apSZXplZvpK
                                                          MD5:8132E6EA831C1B6BE4BD2291AADB6039
                                                          SHA1:D976FFAA6CD0E120B8776CFAFB09D7B716ADEEC6
                                                          SHA-256:F530344314CBD18FAD28D37A886B9597EC8DA7497B13EFD859A0D1048CC68F0C
                                                          SHA-512:E61875E84C19AD02AFAB345922335F8CF709F15CD19074A3688122617160ACE1E0E785A346F334B335A8B703FC88DB3360BDABE869CD4E326E9272B10FFCFD1E
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview: PK.........uQ............3.$.user_United States_AEC365839D_11-21-2020 22.22.58/.. .........................}....PK.........uQ............:.$.user_United States_AEC365839D_11-21-2020 22.22.58/Log.txt.. ...............................[o.0...#.;..V.,d. ...e@[Bi.mS^Lr...G.C......J..0M......s...v.k.X.zE....32...W.`.u..un....b.R.....tU.P..Q",.0..q..Hb.l.a. ..VF.,..%..Z.uy*..;@-..{|a0nWz.B..R.Y.<.*?...R.|..C.i.G.n.......J..0...p}.y..(....R...7.unD.MaR._....v....5q.IL.. ..<.Q2.Z....e.i.....T*}...|."d..J..\'..t.|N.)?..t.-Wwl..^s...........a.`a^........-..._.d...._#.w.B.I.....+..E..[.k..q...PZ.3..{.....g$.b.b.........c5.J3....0...S...&.{wd.^g:x.Lk.k..TZ....j........7.&.S$3C.j?s.Z...@.....\k..D*.....i.p.->........n.%1.......%.F.YZ...9.M..././.H..-!..I.g.:?R:..Z...Q.~...Y... ....g.."..4.:>..F.u.x|...yu..Ih.E"[.P.T>.N...."CK...FzY.~...lH.N.?*.....PK.........uQ.BW........:.$.user_United States_AEC365839D_11-21-2020 22.22.58/Log.txt.. ...........
                                                          C:\Users\user\AppData\Local\Temp\DotNetZip-fu3v0fes.tmp
                                                          Process:C:\Users\user\Desktop\Shipping-Document.exe
                                                          File Type:Zip archive data, at least v2.0 to extract
                                                          Category:dropped
                                                          Size (bytes):1297
                                                          Entropy (8bit):7.030906938500873
                                                          Encrypted:false
                                                          SSDEEP:24:9rNmNTbeBs5whYIPS9u3ShMBoyoINsn/CbuuKmmNTUZLNUZfzNTs:9rIN76OIPS9uiioyTNsn/CadmmNUZL6g
                                                          MD5:018370A0F32AFAE7CD5FA0B7CA08BF33
                                                          SHA1:F4A3ABD2679619E0476A65D01D090B6F97064F27
                                                          SHA-256:C48C00649DE76CF63D8ED975D6C6926F5E12E46559EFD3F329AF19576AAFF383
                                                          SHA-512:226DCA9CBBF1B4EF9B207D3316B256791FB9D60E954F4655FE6339E1FD64BCFED526B12988DC0AB85A05FB69F4D23F038BA492C49DCBBEAFA432F773AE164729
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview: PK.........uQ............3.$.user_United States_AEC365839D_11-21-2020 22.22.19/.. ...........................PK.........uQ............:.$.user_United States_AEC365839D_11-21-2020 22.22.19/Log.txt.. .........h......h.............mo.0...G.w...4X...j......%.6..$.X.8...N|.]...F...)yu....;..b...\){e....32.....`.u..u...j.._-.....unU.P..Q",.0..q..Hb.d.n.'"...[8X}..Z.ye&..;D-...|f0.T..R.Z.Q.<...K...Z.~..B.i.F.........J.I.;...p~.y..(..:]R...7..nD.-aR.....v.....k.....w.a...x@.d....j.........B(.,...~/.(B..........1.j. ...My....Ym..A.G....T.~.....1..l.W.Lw.....J..HS.,J-.ek.V.....Ci..4...a...l.Q.G..X.P.."..jn.f.../j.0..].D..}3M......lx....{..D...Ys......&...4F&-.O.....~.P....@4......S"..p}.4-....A.e.FH...~7..Fi~.q,D......a{.O..c.....x!...-$.$I....#.c..j.E..D.......R.U. ..q!..p..u.......|......4X..8..n...4k#...#,(z...V$.....by9.R.3._.....7PK.........uQ.A.S}.......:.$.user_United States_AEC365839D_11-21-2020 22.22.19/Log.txt.. .........h......h..........
                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          Process:C:\Users\user\Desktop\Shipping-Document.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1631688
                                                          Entropy (8bit):4.471355537934198
                                                          Encrypted:false
                                                          SSDEEP:24576:rZpGi0JaVRMk7p5aYo6KdumheNUSIt2TZ+rSY6GJX1Vgsms38jZcPuUdIZTkLmuD:W
                                                          MD5:47F1684C0075AEA74BB225586D55B6E3
                                                          SHA1:7198622C341F1F6982EB20AC7A431508289DF924
                                                          SHA-256:58BA104E01F9650518E256C03102A8105428E761988CE5905DE77CD45A53AD90
                                                          SHA-512:863AF48BCE8E913D01E43EF0DD6BE8CA683D2B37EFA36AF9F517F76AEC6D99D6975F9797A8069996C591E06737AB3E978FFEAAD6612DE27C285202FD2B0D028A
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Virustotal, Detection: 21%, Browse
                                                          • Antivirus: Metadefender, Detection: 5%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 21%
                                                          Reputation:low
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._................................. ... ....@.. ....................................@.................................`...K.... ..p................9........................................................... ............... ..H............text........ ...................... ..`.rsrc...p.... ......................@..@.reloc..............................@..B........................H........>..03...........q...............................................0..?........(....8....8........E........8....*.(.... .....:....& ....8......0..d....... ........8........E................0...{...I...[.......8.....{....o....(....(....& ....(....:....&8........ ....(....:....&8......(....& ....8.......Y.. ....(....9k...& ....8`.....(....(....&8 ....{....o....(...... ........8*...*(#... ....(....9....& ....8....8?... ....(....9....&8.... T...(....8.....{....(....(....o..
                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe:Zone.Identifier
                                                          Process:C:\Users\user\Desktop\Shipping-Document.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:ggPYV:rPYV
                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                          Malicious:true
                                                          Reputation:high, very likely benign file
                                                          Preview: [ZoneTransfer]....ZoneId=0

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):4.471355537934198
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                          • Win32 Executable (generic) a (10002005/4) 49.97%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          • DOS Executable Generic (2002/1) 0.01%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:Shipping-Document.exe
                                                          File size:1631688
                                                          MD5:47f1684c0075aea74bb225586d55b6e3
                                                          SHA1:7198622c341f1f6982eb20ac7a431508289df924
                                                          SHA256:58ba104e01f9650518e256c03102a8105428e761988ce5905de77cd45a53ad90
                                                          SHA512:863af48bce8e913d01e43ef0dd6be8ca683d2b37efa36af9f517f76aec6d99d6975f9797a8069996c591e06737ab3e978ffeaad6612de27c285202fd2b0d028a
                                                          SSDEEP:24576:rZpGi0JaVRMk7p5aYo6KdumheNUSIt2TZ+rSY6GJX1Vgsms38jZcPuUdIZTkLmuD:W
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_................................. ... ....@.. ....................................@................................

                                                          File Icon

                                                          Icon Hash:3dfce089e4c4d4e4

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x570bae
                                                          Entrypoint Section:.text
                                                          Digitally signed:true
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                          Time Stamp:0x5FB8C219 [Sat Nov 21 07:30:33 2020 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:v4.0.30319
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Authenticode Signature

                                                          Signature Valid:false
                                                          Signature Issuer:CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
                                                          Signature Validation Error:The digital signature of the object did not verify
                                                          Error Number:-2146869232
                                                          Not Before, Not After
                                                          • 11/7/2019 4:00:00 PM 11/16/2022 4:00:00 AM
                                                          Subject Chain
                                                          • CN=Google LLC, O=Google LLC, L=Mountain View, S=California, C=US
                                                          Version:3
                                                          Thumbprint MD5:463BFA4FA69A9E6C4D8813CCFAAF16EE
                                                          Thumbprint SHA-1:A3958AE522F3C54B878B20D7B0F63711E08666B2
                                                          Thumbprint SHA-256:5F2F2840C6E51D17F09334ADA05D9DCDD9AEEB11AF0AE163816757D539ABE3EE
                                                          Serial:06AEA76BAC46A9E8CFE6D29E45AAF033

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x170b600x4b.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1720000x1ba70.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x18ac000x39c8
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x18e0000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000x16ebb40x16ec00False0.47218960357data4.03017385847IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                          .rsrc0x1720000x1ba700x1bc00False0.202509149775data5.19563928652IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x18e0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_ICON0x1722200x2320PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                          RT_ICON0x1745400x10828dBase III DBT, version number 0, next free block index 40
                                                          RT_ICON0x184d680x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                          RT_ICON0x188f900x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                          RT_ICON0x18b5380x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 4473920
                                                          RT_ICON0x18c5e00x468GLS_BINARY_LSB_FIRST
                                                          RT_GROUP_ICON0x18ca480x5adata
                                                          RT_VERSION0x18caa40x374data
                                                          RT_MANIFEST0x18ce180xc55XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Version Infos

                                                          DescriptionData
                                                          Translation0x0000 0x04b0
                                                          LegalCopyrightCopyright 2018 Google LLC
                                                          Assembly Version1.3.35.451
                                                          InternalNameUlzzwremyvkd6.exe
                                                          FileVersion1.3.35.451
                                                          CompanyNameGoogle LLC
                                                          CommentsGoogle Installer
                                                          ProductNameGoogle Update
                                                          ProductVersion1.3.35.451
                                                          FileDescriptionGoogle Installer
                                                          OriginalFilenameUlzzwremyvkd6.exe

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 21, 2020 22:22:00.762152910 CET4972180192.168.2.354.243.164.148
                                                          Nov 21, 2020 22:22:00.864978075 CET804972154.243.164.148192.168.2.3
                                                          Nov 21, 2020 22:22:00.865180016 CET4972180192.168.2.354.243.164.148
                                                          Nov 21, 2020 22:22:00.866674900 CET4972180192.168.2.354.243.164.148
                                                          Nov 21, 2020 22:22:00.969307899 CET804972154.243.164.148192.168.2.3
                                                          Nov 21, 2020 22:22:00.976836920 CET804972154.243.164.148192.168.2.3
                                                          Nov 21, 2020 22:22:01.021373034 CET4972180192.168.2.354.243.164.148
                                                          Nov 21, 2020 22:22:49.953600883 CET4973280192.168.2.354.235.142.93
                                                          Nov 21, 2020 22:22:50.056014061 CET804973254.235.142.93192.168.2.3
                                                          Nov 21, 2020 22:22:50.056130886 CET4973280192.168.2.354.235.142.93
                                                          Nov 21, 2020 22:22:50.056575060 CET4973280192.168.2.354.235.142.93
                                                          Nov 21, 2020 22:22:50.158710003 CET804973254.235.142.93192.168.2.3
                                                          Nov 21, 2020 22:22:50.164937019 CET804973254.235.142.93192.168.2.3
                                                          Nov 21, 2020 22:22:50.212912083 CET4973280192.168.2.354.235.142.93
                                                          Nov 21, 2020 22:22:58.560981989 CET4973580192.168.2.354.235.142.93
                                                          Nov 21, 2020 22:22:58.664211988 CET804973554.235.142.93192.168.2.3
                                                          Nov 21, 2020 22:22:58.664439917 CET4973580192.168.2.354.235.142.93
                                                          Nov 21, 2020 22:22:58.665633917 CET4973580192.168.2.354.235.142.93
                                                          Nov 21, 2020 22:22:58.768011093 CET804973554.235.142.93192.168.2.3
                                                          Nov 21, 2020 22:22:58.773164034 CET804973554.235.142.93192.168.2.3
                                                          Nov 21, 2020 22:22:58.921525002 CET4973580192.168.2.354.235.142.93
                                                          Nov 21, 2020 22:23:00.887444973 CET804972154.243.164.148192.168.2.3
                                                          Nov 21, 2020 22:23:00.888092041 CET4972180192.168.2.354.243.164.148

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 21, 2020 22:21:09.186827898 CET6418553192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:21:09.222868919 CET53641858.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:21:09.993848085 CET6511053192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:21:10.031853914 CET53651108.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:21:10.809195995 CET5836153192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:21:10.836564064 CET53583618.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:21:13.862592936 CET6349253192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:21:13.889771938 CET53634928.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:21:14.660721064 CET6083153192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:21:14.687913895 CET53608318.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:21:15.488516092 CET6010053192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:21:15.515783072 CET53601008.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:21:16.470161915 CET5319553192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:21:16.497458935 CET53531958.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:21:17.383024931 CET5014153192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:21:17.410284996 CET53501418.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:21:18.664967060 CET5302353192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:21:18.700856924 CET53530238.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:21:19.479413033 CET4956353192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:21:19.507297039 CET53495638.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:21:20.338855028 CET5135253192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:21:20.366700888 CET53513528.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:21:21.156471014 CET5934953192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:21:21.183614016 CET53593498.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:21:21.959223986 CET5708453192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:21:21.994941950 CET53570848.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:21:22.774533033 CET5882353192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:21:22.801701069 CET53588238.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:21:33.957308054 CET5756853192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:21:33.984694958 CET53575688.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:21:59.075335026 CET5054053192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:21:59.112881899 CET53505408.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:22:00.357954979 CET5436653192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:22:00.385130882 CET53543668.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:22:00.455102921 CET5303453192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:22:00.482178926 CET53530348.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:22:07.953336954 CET5776253192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:22:07.980539083 CET53577628.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:22:11.918097973 CET5543553192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:22:11.955988884 CET53554358.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:22:43.168602943 CET5071353192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:22:43.196012974 CET53507138.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:22:49.819142103 CET5613253192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:22:49.846364975 CET53561328.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:22:49.866417885 CET5898753192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:22:49.893604994 CET53589878.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:22:52.974126101 CET5657953192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:22:53.017977953 CET53565798.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:22:57.601746082 CET6063353192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:22:57.639264107 CET53606338.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:22:57.786498070 CET6129253192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:22:57.813941956 CET53612928.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:22:58.480577946 CET6361953192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:22:58.507960081 CET53636198.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:23:16.125009060 CET6493853192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:23:16.126764059 CET6194653192.168.2.38.8.8.8
                                                          Nov 21, 2020 22:23:16.162115097 CET53649388.8.8.8192.168.2.3
                                                          Nov 21, 2020 22:23:16.163928032 CET53619468.8.8.8192.168.2.3

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                          Nov 21, 2020 22:22:00.357954979 CET192.168.2.38.8.8.80x2079Standard query (0)api.ipify.orgA (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:00.455102921 CET192.168.2.38.8.8.80x1600Standard query (0)api.ipify.orgA (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.819142103 CET192.168.2.38.8.8.80xf7e8Standard query (0)api.ipify.orgA (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.866417885 CET192.168.2.38.8.8.80xe1e4Standard query (0)api.ipify.orgA (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:57.786498070 CET192.168.2.38.8.8.80x59b2Standard query (0)api.ipify.orgA (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:58.480577946 CET192.168.2.38.8.8.80xc345Standard query (0)api.ipify.orgA (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:23:16.125009060 CET192.168.2.38.8.8.80xfcb0Standard query (0)cdn.onenote.netA (IP address)IN (0x0001)

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                          Nov 21, 2020 22:22:00.385130882 CET8.8.8.8192.168.2.30x2079No error (0)api.ipify.orgnagano-19599.herokussl.comCNAME (Canonical name)IN (0x0001)
                                                          Nov 21, 2020 22:22:00.385130882 CET8.8.8.8192.168.2.30x2079No error (0)nagano-19599.herokussl.comelb097307-934924932.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                          Nov 21, 2020 22:22:00.385130882 CET8.8.8.8192.168.2.30x2079No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.243.164.148A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:00.385130882 CET8.8.8.8192.168.2.30x2079No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.66.103A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:00.385130882 CET8.8.8.8192.168.2.30x2079No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.252.4A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:00.385130882 CET8.8.8.8192.168.2.30x2079No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.169.28A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:00.385130882 CET8.8.8.8192.168.2.30x2079No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.182.194A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:00.385130882 CET8.8.8.8192.168.2.30x2079No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com174.129.214.20A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:00.385130882 CET8.8.8.8192.168.2.30x2079No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.252.36A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:00.385130882 CET8.8.8.8192.168.2.30x2079No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com184.73.247.141A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:00.482178926 CET8.8.8.8192.168.2.30x1600No error (0)api.ipify.orgnagano-19599.herokussl.comCNAME (Canonical name)IN (0x0001)
                                                          Nov 21, 2020 22:22:00.482178926 CET8.8.8.8192.168.2.30x1600No error (0)nagano-19599.herokussl.comelb097307-934924932.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                          Nov 21, 2020 22:22:00.482178926 CET8.8.8.8192.168.2.30x1600No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.243.164.148A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:00.482178926 CET8.8.8.8192.168.2.30x1600No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.66.103A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:00.482178926 CET8.8.8.8192.168.2.30x1600No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.252.4A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:00.482178926 CET8.8.8.8192.168.2.30x1600No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.169.28A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:00.482178926 CET8.8.8.8192.168.2.30x1600No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.182.194A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:00.482178926 CET8.8.8.8192.168.2.30x1600No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com174.129.214.20A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:00.482178926 CET8.8.8.8192.168.2.30x1600No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.252.36A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:00.482178926 CET8.8.8.8192.168.2.30x1600No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com184.73.247.141A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.846364975 CET8.8.8.8192.168.2.30xf7e8No error (0)api.ipify.orgnagano-19599.herokussl.comCNAME (Canonical name)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.846364975 CET8.8.8.8192.168.2.30xf7e8No error (0)nagano-19599.herokussl.comelb097307-934924932.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.846364975 CET8.8.8.8192.168.2.30xf7e8No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.142.93A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.846364975 CET8.8.8.8192.168.2.30xf7e8No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.66.103A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.846364975 CET8.8.8.8192.168.2.30xf7e8No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.252.36A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.846364975 CET8.8.8.8192.168.2.30xf7e8No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.126.66A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.846364975 CET8.8.8.8192.168.2.30xf7e8No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.83.248A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.846364975 CET8.8.8.8192.168.2.30xf7e8No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.252.4A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.846364975 CET8.8.8.8192.168.2.30xf7e8No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.243.161.145A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.846364975 CET8.8.8.8192.168.2.30xf7e8No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com184.73.247.141A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.893604994 CET8.8.8.8192.168.2.30xe1e4No error (0)api.ipify.orgnagano-19599.herokussl.comCNAME (Canonical name)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.893604994 CET8.8.8.8192.168.2.30xe1e4No error (0)nagano-19599.herokussl.comelb097307-934924932.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.893604994 CET8.8.8.8192.168.2.30xe1e4No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.66.103A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.893604994 CET8.8.8.8192.168.2.30xe1e4No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.142.93A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.893604994 CET8.8.8.8192.168.2.30xe1e4No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.252.4A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.893604994 CET8.8.8.8192.168.2.30xe1e4No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.153.147A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.893604994 CET8.8.8.8192.168.2.30xe1e4No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.169.28A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.893604994 CET8.8.8.8192.168.2.30xe1e4No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.243.164.148A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.893604994 CET8.8.8.8192.168.2.30xe1e4No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.42.25A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:49.893604994 CET8.8.8.8192.168.2.30xe1e4No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.83.248A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:57.813941956 CET8.8.8.8192.168.2.30x59b2No error (0)api.ipify.orgnagano-19599.herokussl.comCNAME (Canonical name)IN (0x0001)
                                                          Nov 21, 2020 22:22:57.813941956 CET8.8.8.8192.168.2.30x59b2No error (0)nagano-19599.herokussl.comelb097307-934924932.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                          Nov 21, 2020 22:22:57.813941956 CET8.8.8.8192.168.2.30x59b2No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.142.93A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:57.813941956 CET8.8.8.8192.168.2.30x59b2No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.66.103A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:57.813941956 CET8.8.8.8192.168.2.30x59b2No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.252.36A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:57.813941956 CET8.8.8.8192.168.2.30x59b2No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.126.66A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:57.813941956 CET8.8.8.8192.168.2.30x59b2No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.83.248A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:57.813941956 CET8.8.8.8192.168.2.30x59b2No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.252.4A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:57.813941956 CET8.8.8.8192.168.2.30x59b2No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.243.161.145A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:57.813941956 CET8.8.8.8192.168.2.30x59b2No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com184.73.247.141A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:58.507960081 CET8.8.8.8192.168.2.30xc345No error (0)api.ipify.orgnagano-19599.herokussl.comCNAME (Canonical name)IN (0x0001)
                                                          Nov 21, 2020 22:22:58.507960081 CET8.8.8.8192.168.2.30xc345No error (0)nagano-19599.herokussl.comelb097307-934924932.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                          Nov 21, 2020 22:22:58.507960081 CET8.8.8.8192.168.2.30xc345No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com174.129.214.20A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:58.507960081 CET8.8.8.8192.168.2.30xc345No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.142.93A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:58.507960081 CET8.8.8.8192.168.2.30xc345No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.153.147A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:58.507960081 CET8.8.8.8192.168.2.30xc345No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com184.73.247.141A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:58.507960081 CET8.8.8.8192.168.2.30xc345No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.252.36A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:58.507960081 CET8.8.8.8192.168.2.30xc345No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.243.164.148A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:58.507960081 CET8.8.8.8192.168.2.30xc345No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.169.28A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:22:58.507960081 CET8.8.8.8192.168.2.30xc345No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.42.25A (IP address)IN (0x0001)
                                                          Nov 21, 2020 22:23:16.162115097 CET8.8.8.8192.168.2.30xfcb0No error (0)cdn.onenote.netcdn.onenote.net.edgekey.netCNAME (Canonical name)IN (0x0001)

                                                          HTTP Request Dependency Graph

                                                          • api.ipify.org

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          0192.168.2.34972154.243.164.14880C:\Users\user\Desktop\Shipping-Document.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Nov 21, 2020 22:22:00.866674900 CET348OUTGET / HTTP/1.1
                                                          Host: api.ipify.org
                                                          Connection: Keep-Alive
                                                          Nov 21, 2020 22:22:00.976836920 CET349INHTTP/1.1 200 OK
                                                          Server: Cowboy
                                                          Connection: keep-alive
                                                          Content-Type: text/plain
                                                          Vary: Origin
                                                          Date: Sat, 21 Nov 2020 21:22:00 GMT
                                                          Content-Length: 11
                                                          Via: 1.1 vegur
                                                          Data Raw: 38 34 2e 31 37 2e 35 32 2e 32 35
                                                          Data Ascii: 84.17.52.25


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          1192.168.2.34973254.235.142.9380C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Nov 21, 2020 22:22:50.056575060 CET3658OUTGET / HTTP/1.1
                                                          Host: api.ipify.org
                                                          Connection: Keep-Alive
                                                          Nov 21, 2020 22:22:50.164937019 CET3658INHTTP/1.1 200 OK
                                                          Server: Cowboy
                                                          Connection: keep-alive
                                                          Content-Type: text/plain
                                                          Vary: Origin
                                                          Date: Sat, 21 Nov 2020 21:22:50 GMT
                                                          Content-Length: 11
                                                          Via: 1.1 vegur
                                                          Data Raw: 38 34 2e 31 37 2e 35 32 2e 32 35
                                                          Data Ascii: 84.17.52.25


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          2192.168.2.34973554.235.142.9380C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Nov 21, 2020 22:22:58.665633917 CET3669OUTGET / HTTP/1.1
                                                          Host: api.ipify.org
                                                          Connection: Keep-Alive
                                                          Nov 21, 2020 22:22:58.773164034 CET3675INHTTP/1.1 200 OK
                                                          Server: Cowboy
                                                          Connection: keep-alive
                                                          Content-Type: text/plain
                                                          Vary: Origin
                                                          Date: Sat, 21 Nov 2020 21:22:58 GMT
                                                          Content-Length: 11
                                                          Via: 1.1 vegur
                                                          Data Raw: 38 34 2e 31 37 2e 35 32 2e 32 35
                                                          Data Ascii: 84.17.52.25


                                                          Code Manipulations

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          Analysis Process: Shipping-Document.exe PID: 1364 Parent PID: 5600

                                                          General

                                                          Start time:22:21:14
                                                          Start date:21/11/2020
                                                          Path:C:\Users\user\Desktop\Shipping-Document.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\Desktop\Shipping-Document.exe'
                                                          Imagebase:0x450000
                                                          File size:1631688 bytes
                                                          MD5 hash:47F1684C0075AEA74BB225586D55B6E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.292894367.0000000003997000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000003.285012492.0000000003F10000.00000004.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: Shipping-Document.exe PID: 3420 Parent PID: 1364

                                                          General

                                                          Start time:22:21:49
                                                          Start date:21/11/2020
                                                          Path:C:\Users\user\Desktop\Shipping-Document.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\Desktop\Shipping-Document.exe
                                                          Imagebase:0x3f0000
                                                          File size:1631688 bytes
                                                          MD5 hash:47F1684C0075AEA74BB225586D55B6E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: Shipping-Document.exe PID: 1488 Parent PID: 1364

                                                          General

                                                          Start time:22:21:50
                                                          Start date:21/11/2020
                                                          Path:C:\Users\user\Desktop\Shipping-Document.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\Shipping-Document.exe
                                                          Imagebase:0x990000
                                                          File size:1631688 bytes
                                                          MD5 hash:47F1684C0075AEA74BB225586D55B6E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000005.00000002.474947911.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: vlc.exe PID: 1748 Parent PID: 3388

                                                          General

                                                          Start time:22:22:00
                                                          Start date:21/11/2020
                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
                                                          Imagebase:0xbe0000
                                                          File size:1631688 bytes
                                                          MD5 hash:47F1684C0075AEA74BB225586D55B6E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000C.00000003.392005702.00000000048A0000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000C.00000002.399837462.0000000004325000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000C.00000003.380082858.00000000048A0000.00000004.00000001.sdmp, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 21%, Virustotal, Browse
                                                          • Detection: 5%, Metadefender, Browse
                                                          • Detection: 21%, ReversingLabs
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: vlc.exe PID: 3440 Parent PID: 3388

                                                          General

                                                          Start time:22:22:08
                                                          Start date:21/11/2020
                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
                                                          Imagebase:0xb0000
                                                          File size:1631688 bytes
                                                          MD5 hash:47F1684C0075AEA74BB225586D55B6E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000E.00000003.401816626.00000000040ED000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000E.00000002.411380915.0000000003515000.00000004.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: vlc.exe PID: 2792 Parent PID: 1748

                                                          General

                                                          Start time:22:22:34
                                                          Start date:21/11/2020
                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          Imagebase:0x4b0000
                                                          File size:1631688 bytes
                                                          MD5 hash:47F1684C0075AEA74BB225586D55B6E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: vlc.exe PID: 6052 Parent PID: 1748

                                                          General

                                                          Start time:22:22:34
                                                          Start date:21/11/2020
                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          Imagebase:0x230000
                                                          File size:1631688 bytes
                                                          MD5 hash:47F1684C0075AEA74BB225586D55B6E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: vlc.exe PID: 1872 Parent PID: 1748

                                                          General

                                                          Start time:22:22:36
                                                          Start date:21/11/2020
                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          Imagebase:0x90000
                                                          File size:1631688 bytes
                                                          MD5 hash:47F1684C0075AEA74BB225586D55B6E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: vlc.exe PID: 4472 Parent PID: 1748

                                                          General

                                                          Start time:22:22:37
                                                          Start date:21/11/2020
                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          Imagebase:0x190000
                                                          File size:1631688 bytes
                                                          MD5 hash:47F1684C0075AEA74BB225586D55B6E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: vlc.exe PID: 5352 Parent PID: 1748

                                                          General

                                                          Start time:22:22:37
                                                          Start date:21/11/2020
                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          Imagebase:0x10000
                                                          File size:1631688 bytes
                                                          MD5 hash:47F1684C0075AEA74BB225586D55B6E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: vlc.exe PID: 1256 Parent PID: 1748

                                                          General

                                                          Start time:22:22:40
                                                          Start date:21/11/2020
                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          Imagebase:0x7ff7488e0000
                                                          File size:1631688 bytes
                                                          MD5 hash:47F1684C0075AEA74BB225586D55B6E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000016.00000002.474961619.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: vlc.exe PID: 1012 Parent PID: 3440

                                                          General

                                                          Start time:22:22:43
                                                          Start date:21/11/2020
                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          Imagebase:0x7ff7488e0000
                                                          File size:1631688 bytes
                                                          MD5 hash:47F1684C0075AEA74BB225586D55B6E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: vlc.exe PID: 4832 Parent PID: 3440

                                                          General

                                                          Start time:22:22:45
                                                          Start date:21/11/2020
                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          Imagebase:0x350000
                                                          File size:1631688 bytes
                                                          MD5 hash:47F1684C0075AEA74BB225586D55B6E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: vlc.exe PID: 484 Parent PID: 3440

                                                          General

                                                          Start time:22:22:45
                                                          Start date:21/11/2020
                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
                                                          Imagebase:0xb10000
                                                          File size:1631688 bytes
                                                          MD5 hash:47F1684C0075AEA74BB225586D55B6E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000001A.00000002.475038821.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Chronological Activities

                                                          Disassembly

                                                          Code Analysis

                                                          Reset < >

                                                            Analysis Process: Shipping-Document.exe PID: 1364 Parent PID: 5600 Shipping-Document.exeCOMMON

                                                            Execution Graph

                                                            Execution Coverage:12.1%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:128
                                                            Total number of Limit Nodes:9

                                                            Graph

                                                            execution_graph 13373 2789338 13377 2789430 13373->13377 13385 278941f 13373->13385 13374 2789347 13378 2789443 13377->13378 13379 278945b 13378->13379 13393 27896b8 13378->13393 13397 27896a9 13378->13397 13379->13374 13380 2789658 GetModuleHandleW 13382 2789685 13380->13382 13381 2789453 13381->13379 13381->13380 13382->13374 13386 2789443 13385->13386 13387 278945b 13386->13387 13391 27896b8 LoadLibraryExW 13386->13391 13392 27896a9 LoadLibraryExW 13386->13392 13387->13374 13388 2789658 GetModuleHandleW 13390 2789685 13388->13390 13389 2789453 13389->13387 13389->13388 13390->13374 13391->13389 13392->13389 13394 27896cc 13393->13394 13396 27896f1 13394->13396 13401 27887a0 13394->13401 13396->13381 13398 27896cc 13397->13398 13399 27887a0 LoadLibraryExW 13398->13399 13400 27896f1 13398->13400 13399->13400 13400->13381 13402 2789898 LoadLibraryExW 13401->13402 13404 2789911 13402->13404 13404->13396 13405 278b730 13406 278b796 13405->13406 13410 278b8f0 13406->13410 13413 278b8e3 13406->13413 13407 278b845 13416 278a154 13410->13416 13414 278b91e 13413->13414 13415 278a154 DuplicateHandle 13413->13415 13414->13407 13415->13414 13417 278b958 DuplicateHandle 13416->13417 13418 278b91e 13417->13418 13418->13407 13419 27840d0 13422 27840dc 13419->13422 13420 278413e 13422->13420 13424 2784211 13422->13424 13429 2783c64 13422->13429 13425 2784235 13424->13425 13433 2784310 13425->13433 13437 2784300 13425->13437 13430 2783c6f 13429->13430 13432 2786a2d 13430->13432 13445 2785864 13430->13445 13432->13422 13435 2784337 13433->13435 13434 2784414 13434->13434 13435->13434 13441 2783e40 13435->13441 13439 2784337 13437->13439 13438 2784414 13438->13438 13439->13438 13440 2783e40 CreateActCtxA 13439->13440 13440->13438 13442 27853a0 CreateActCtxA 13441->13442 13444 2785463 13442->13444 13446 278586f 13445->13446 13449 2785884 13446->13449 13448 2786ad5 13448->13432 13450 278588f 13449->13450 13453 27858b4 13450->13453 13452 2786bba 13452->13448 13454 27858bf 13453->13454 13457 27858e4 13454->13457 13456 2786caa 13456->13452 13458 27858ef 13457->13458 13459 2787169 13458->13459 13464 2787408 13458->13464 13460 27873fc 13459->13460 13469 278b468 13459->13469 13475 278b459 13459->13475 13460->13456 13465 27873e9 13464->13465 13466 27873fc 13465->13466 13467 278b468 6 API calls 13465->13467 13468 278b459 6 API calls 13465->13468 13466->13459 13467->13466 13468->13466 13470 278b489 13469->13470 13471 278b4ad 13470->13471 13481 278b618 13470->13481 13485 278b5d5 13470->13485 13490 278b608 13470->13490 13471->13460 13476 278b489 13475->13476 13477 278b4ad 13476->13477 13478 278b618 6 API calls 13476->13478 13479 278b608 6 API calls 13476->13479 13480 278b5d5 6 API calls 13476->13480 13477->13460 13478->13477 13479->13477 13480->13477 13482 278b625 13481->13482 13484 278b65f 13482->13484 13494 278a0cc 13482->13494 13484->13471 13486 278b5eb 13485->13486 13487 278b633 13485->13487 13486->13471 13488 278b65f 13487->13488 13489 278a0cc 6 API calls 13487->13489 13488->13471 13489->13488 13491 278b625 13490->13491 13492 278b65f 13491->13492 13493 278a0cc 6 API calls 13491->13493 13492->13471 13493->13492 13495 278a0d7 13494->13495 13497 278c358 13495->13497 13498 278bef4 13495->13498 13497->13497 13499 278beff 13498->13499 13500 278c3c7 13499->13500 13501 27858e4 6 API calls 13499->13501 13502 278c3d5 13500->13502 13508 278c440 13500->13508 13512 278c430 13500->13512 13501->13500 13516 278e138 13502->13516 13525 278e148 13502->13525 13503 278c400 13503->13497 13509 278c46e 13508->13509 13510 278c53a KiUserCallbackDispatcher 13509->13510 13511 278c53f 13509->13511 13510->13511 13513 278c46e 13512->13513 13514 278c53a KiUserCallbackDispatcher 13513->13514 13515 278c53f 13513->13515 13514->13515 13518 278e179 13516->13518 13520 278e26a 13516->13520 13517 278e185 13517->13503 13518->13517 13519 278e1c5 13518->13519 13521 278e5c8 LoadLibraryExW GetModuleHandleW 13518->13521 13522 278e5c7 LoadLibraryExW GetModuleHandleW 13518->13522 13523 278ef90 CreateWindowExW CreateWindowExW 13519->13523 13524 278ef80 CreateWindowExW CreateWindowExW 13519->13524 13520->13503 13521->13519 13522->13519 13523->13520 13524->13520 13527 278e179 13525->13527 13529 278e26a 13525->13529 13526 278e185 13526->13503 13527->13526 13528 278e1c5 13527->13528 13530 278e5c8 LoadLibraryExW GetModuleHandleW 13527->13530 13531 278e5c7 LoadLibraryExW GetModuleHandleW 13527->13531 13532 278ef90 CreateWindowExW CreateWindowExW 13528->13532 13533 278ef80 CreateWindowExW CreateWindowExW 13528->13533 13529->13503 13530->13528 13531->13528 13532->13529 13533->13529

                                                            Executed Functions

                                                            Function 02789430, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02789676
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.289707279.0000000002780000.00000040.00000001.sdmp, Offset: 02780000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2780000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID: j
                                                            • API String ID: 4139908857-2137352139
                                                            • Opcode ID: 566557b34f962045712d67ac6788946b9fe9c234c47379dc073d3efc0640a450
                                                            • Instruction ID: 926ae5fa2794594157eb9d9003478c194eec5d51115f18be25d6105c18ce9d12
                                                            • Opcode Fuzzy Hash: 566557b34f962045712d67ac6788946b9fe9c234c47379dc073d3efc0640a450
                                                            • Instruction Fuzzy Hash: F3711470A00B058FD724EF69D45476ABBF1BF88304F10892DE59AD7B40EB35E8458F91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0278FCCB, Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 59 278fccb-278fd4f 60 278fd51-278fd78 call 278de5c 59->60 61 278fd85-278fdfe 59->61 67 278fd7d-278fd7e 60->67 62 278fe09-278fe10 61->62 63 278fe00-278fe06 61->63 65 278fe1b-278feba CreateWindowExW 62->65 66 278fe12-278fe18 62->66 63->62 69 278febc-278fec2 65->69 70 278fec3-278fefb 65->70 66->65 69->70 74 278ff08 70->74 75 278fefd-278ff00 70->75 76 278ff09 74->76 75->74 76->76
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0278FEAA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.289707279.0000000002780000.00000040.00000001.sdmp, Offset: 02780000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2780000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: d6fe416bc19215caba30db6f6ec39002e036ed5530710d603fa139c039298c87
                                                            • Instruction ID: a003ee7913903bdbeefb97ad3e17145e19d98e692f9c23a6da92136a9159a83b
                                                            • Opcode Fuzzy Hash: d6fe416bc19215caba30db6f6ec39002e036ed5530710d603fa139c039298c87
                                                            • Instruction Fuzzy Hash: 1B7132B1C043489FDF16CFA5C890ACDBFB1FF49314F6681AAE408AB262D7359946CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0278FD8C, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 77 278fd8c-278fdfe 78 278fe09-278fe10 77->78 79 278fe00-278fe06 77->79 80 278fe1b-278fe53 78->80 81 278fe12-278fe18 78->81 79->78 82 278fe5b-278feba CreateWindowExW 80->82 81->80 83 278febc-278fec2 82->83 84 278fec3-278fefb 82->84 83->84 88 278ff08 84->88 89 278fefd-278ff00 84->89 90 278ff09 88->90 89->88 90->90
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0278FEAA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.289707279.0000000002780000.00000040.00000001.sdmp, Offset: 02780000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2780000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: 07bddc3b526b20369f0f2746495d8ea2bd1699342272fc44f22924259e46260e
                                                            • Instruction ID: 844c028b99be69d9f5cfd7a5897e27ba230867ca3f1eed17c58630ddb5c46fc1
                                                            • Opcode Fuzzy Hash: 07bddc3b526b20369f0f2746495d8ea2bd1699342272fc44f22924259e46260e
                                                            • Instruction Fuzzy Hash: 5451CEB1D003089FDF14DFA9D884ADEBBB5FF88314F64812AE819AB251D7749885CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0278DE5C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 91 278de5c-278fdfe 93 278fe09-278fe10 91->93 94 278fe00-278fe06 91->94 95 278fe1b-278feba CreateWindowExW 93->95 96 278fe12-278fe18 93->96 94->93 98 278febc-278fec2 95->98 99 278fec3-278fefb 95->99 96->95 98->99 103 278ff08 99->103 104 278fefd-278ff00 99->104 105 278ff09 103->105 104->103 105->105
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0278FEAA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.289707279.0000000002780000.00000040.00000001.sdmp, Offset: 02780000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2780000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: cf0a17e5c8ead616c0f8a69a2ee54126b591e86bdb26c85c2261d8c62f846a23
                                                            • Instruction ID: 68deb98663e2052c4b0cf5eac8249f4b5d972c3406284048a81deeb5d0607c72
                                                            • Opcode Fuzzy Hash: cf0a17e5c8ead616c0f8a69a2ee54126b591e86bdb26c85c2261d8c62f846a23
                                                            • Instruction Fuzzy Hash: EC51CFB1D00308DFDF14DF9AD884ADEBBB5BF88314F64812AE819AB211D7749845CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02783E40, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 106 2783e40-2785461 CreateActCtxA 109 278546a-27854c4 106->109 110 2785463-2785469 106->110 117 27854d3-27854d7 109->117 118 27854c6-27854c9 109->118 110->109 119 27854e8 117->119 120 27854d9-27854e5 117->120 118->117 122 27854e9 119->122 120->119 122->122
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 02785451
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.289707279.0000000002780000.00000040.00000001.sdmp, Offset: 02780000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2780000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 60779b3ea20322fb3b0acbfba971dfc2829ab353bbf534e457e9756e4d895e32
                                                            • Instruction ID: 126bd09e8163d5c0e50481387820fc890d9ebddb35e434f33e138f6598987df6
                                                            • Opcode Fuzzy Hash: 60779b3ea20322fb3b0acbfba971dfc2829ab353bbf534e457e9756e4d895e32
                                                            • Instruction Fuzzy Hash: 6141F1B0D04618CBEB24DFA9C844BCEBBF5BF48308F618069D409BB251DBB56949CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02785394, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 123 2785394-2785461 CreateActCtxA 125 278546a-27854c4 123->125 126 2785463-2785469 123->126 133 27854d3-27854d7 125->133 134 27854c6-27854c9 125->134 126->125 135 27854e8 133->135 136 27854d9-27854e5 133->136 134->133 138 27854e9 135->138 136->135 138->138
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 02785451
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.289707279.0000000002780000.00000040.00000001.sdmp, Offset: 02780000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2780000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 6292c37e8b47ffcec836c08356465dcfbe3e157fd54ce7896cb765359c3cdee7
                                                            • Instruction ID: a32c2c0f402a4879c588ad659cdff67e013f2b0efcd4f2ee10a7b46798512916
                                                            • Opcode Fuzzy Hash: 6292c37e8b47ffcec836c08356465dcfbe3e157fd54ce7896cb765359c3cdee7
                                                            • Instruction Fuzzy Hash: 8341F2B1E04618CFDB24DFA9C9447CEBBB1BF88309F25806AD409BB251DB756949CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0278A154, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 139 278a154-278b9ec DuplicateHandle 141 278b9ee-278b9f4 139->141 142 278b9f5-278ba12 139->142 141->142
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0278B91E,?,?,?,?,?), ref: 0278B9DF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.289707279.0000000002780000.00000040.00000001.sdmp, Offset: 02780000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2780000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: e7d9697402db3eaa64b9e56ed5f29565aaf390bc835a6eec6bb2b11e13aac19b
                                                            • Instruction ID: 9307584c3ce5c126ee297aa4322c93dee6399a8fae18e219e8f26a7f9a6b14b5
                                                            • Opcode Fuzzy Hash: e7d9697402db3eaa64b9e56ed5f29565aaf390bc835a6eec6bb2b11e13aac19b
                                                            • Instruction Fuzzy Hash: A12103B5900208DFDB10CFA9D884AEEBBF8EB48324F14801AE914B3310D778A954CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02789891, Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 145 2789891-2789895 146 2789872-278987e 145->146 147 2789897-27898d8 145->147 148 27898da-27898dd 147->148 149 27898e0-278990f LoadLibraryExW 147->149 148->149 150 2789918-2789935 149->150 151 2789911-2789917 149->151 151->150
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,027896F1,00000800,00000000,00000000), ref: 02789902
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.289707279.0000000002780000.00000040.00000001.sdmp, Offset: 02780000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2780000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 79b962219dee46b331e6d8030d1b1285c84ee82c72551b1f5232632defd95aa4
                                                            • Instruction ID: b83b41c09b433b00cc98a112c4c633cbe8a8b2c18f21144890173aeb9ece22c0
                                                            • Opcode Fuzzy Hash: 79b962219dee46b331e6d8030d1b1285c84ee82c72551b1f5232632defd95aa4
                                                            • Instruction Fuzzy Hash: EF2115B6D00209DFCB10DF9AD444AEEFBB4EB98324F10842AD525A7700C7799545CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0278B953, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 155 278b953-278b9ec DuplicateHandle 156 278b9ee-278b9f4 155->156 157 278b9f5-278ba12 155->157 156->157
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0278B91E,?,?,?,?,?), ref: 0278B9DF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.289707279.0000000002780000.00000040.00000001.sdmp, Offset: 02780000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2780000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: e65fcca52293c33641fae760f296a869d0d6cc9358ce8a3bca99977f5ce1447d
                                                            • Instruction ID: dfcdd8a49c955f3f55b5a0e5e0e55a9488cc6b08ec2b3ff071a95c519be70014
                                                            • Opcode Fuzzy Hash: e65fcca52293c33641fae760f296a869d0d6cc9358ce8a3bca99977f5ce1447d
                                                            • Instruction Fuzzy Hash: 5C21E2B6900209DFDF10CFA9D584ADEBBF5FB48324F14801AE914A3350D778A954CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 027887A0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 160 27887a0-27898d8 162 27898da-27898dd 160->162 163 27898e0-278990f LoadLibraryExW 160->163 162->163 164 2789918-2789935 163->164 165 2789911-2789917 163->165 165->164
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,027896F1,00000800,00000000,00000000), ref: 02789902
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.289707279.0000000002780000.00000040.00000001.sdmp, Offset: 02780000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2780000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 196fec9099d59bb1490f0dc3754e4b8c0be36d5da9a3b6671b586a5ade605a39
                                                            • Instruction ID: 3d4c3970b1393a15d5226f9de317832e46d409b7a51b0082f85217e8a68d674c
                                                            • Opcode Fuzzy Hash: 196fec9099d59bb1490f0dc3754e4b8c0be36d5da9a3b6671b586a5ade605a39
                                                            • Instruction Fuzzy Hash: FA1103B2904209DFDB10DF9AD444AEEBBF4EB88314F11842AD519B7300C778A945CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02789610, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 168 2789610-2789650 169 2789658-2789683 GetModuleHandleW 168->169 170 2789652-2789655 168->170 171 278968c-27896a0 169->171 172 2789685-278968b 169->172 170->169 172->171
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02789676
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.289707279.0000000002780000.00000040.00000001.sdmp, Offset: 02780000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2780000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 1c9a253db8d3e66e863112130242e5ff60f44a3e857081add1b2c44000ddd04c
                                                            • Instruction ID: 4aa70f5bedab63e0ba74cf61f76a99427b8d778698c2a8a9689528739aad4b14
                                                            • Opcode Fuzzy Hash: 1c9a253db8d3e66e863112130242e5ff60f44a3e857081add1b2c44000ddd04c
                                                            • Instruction Fuzzy Hash: CC1113B1D00649CFCB10DF9AD444BDEFBF4AB88224F11851AD429B7700D378A545CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0264D4C4, Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.289533238.000000000264D000.00000040.00000001.sdmp, Offset: 0264D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_264d000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eb7e32894d7472061de00e18448ba63800d30c2c59535d343ad4117319b719a4
                                                            • Instruction ID: 6cd5acf23e7261e5d166a4c3f84d0563344d955971ce86b437ca7ac00df3653b
                                                            • Opcode Fuzzy Hash: eb7e32894d7472061de00e18448ba63800d30c2c59535d343ad4117319b719a4
                                                            • Instruction Fuzzy Hash: 952137B1A04240DFDB09DF14D8C0B26BF65FB88328F24C569E9454B706CB36D856CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0265D1D4, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.289562418.000000000265D000.00000040.00000001.sdmp, Offset: 0265D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_265d000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f2db43c9e6c2268ca29fd146467efe568d49f6f335ebb50a12e76e2e47071a7e
                                                            • Instruction ID: 5a9874497b8628e4bb3194ec75af5c43f80366e029a7ba6eee104f32e2372644
                                                            • Opcode Fuzzy Hash: f2db43c9e6c2268ca29fd146467efe568d49f6f335ebb50a12e76e2e47071a7e
                                                            • Instruction Fuzzy Hash: 8D210471604244EFDB05DF14D9C0B26BBA5FB88318F24C9ADEE094B786C736D846CA61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0265D01C, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.289562418.000000000265D000.00000040.00000001.sdmp, Offset: 0265D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_265d000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8269df31c2cbf03c0a4b3688a17149277c940036183d2f8eae53f4e2c90499b2
                                                            • Instruction ID: ea8b13077b51624072cd75c97ed2f17c64b6b3e7995d58c44568bdfb77b82bb5
                                                            • Opcode Fuzzy Hash: 8269df31c2cbf03c0a4b3688a17149277c940036183d2f8eae53f4e2c90499b2
                                                            • Instruction Fuzzy Hash: 4D21D371604284DFDB14DF14D8C0B26BBA5FF84214F24C569EC0A4B386C736D847CA61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0265D005, Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.289562418.000000000265D000.00000040.00000001.sdmp, Offset: 0265D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_265d000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0d41f4a569ec913b001e6882cf165a5b065b48e04d52ea5fd39665d0e27f2955
                                                            • Instruction ID: 28c6353a4025d7f173ec2e65bb41ec03c1faa1943aebc8782e8f4ce9ed8fb1dc
                                                            • Opcode Fuzzy Hash: 0d41f4a569ec913b001e6882cf165a5b065b48e04d52ea5fd39665d0e27f2955
                                                            • Instruction Fuzzy Hash: AA215E755083C09FDB02CF24D994B15BF71EF46214F28C5EAD8498B7A7C33A985ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0264D4BF, Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.289533238.000000000264D000.00000040.00000001.sdmp, Offset: 0264D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_264d000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b0b404d9eecf1aa7ef9aea8b33e7c2e64b2c905fd441304741711280b6bf8a9a
                                                            • Instruction ID: e2f4fa8a2f0f9d8f04804fae517fb09bfde82d1ef355e8b629a8e1a4ab37a52c
                                                            • Opcode Fuzzy Hash: b0b404d9eecf1aa7ef9aea8b33e7c2e64b2c905fd441304741711280b6bf8a9a
                                                            • Instruction Fuzzy Hash: 2311D376904280DFCB15CF14D5C4B16BF71FB84324F24C6A9D8494B756C736D46ACBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0265D1CF, Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.289562418.000000000265D000.00000040.00000001.sdmp, Offset: 0265D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_265d000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c40815aa96ad224e52f0cfc49c91d5d461766df6e79e458980e1d5915392af9a
                                                            • Instruction ID: bdd5ad144050443dd04dff0be5411d2a9ee1be419fc36888ba7dd014a7ed86ca
                                                            • Opcode Fuzzy Hash: c40815aa96ad224e52f0cfc49c91d5d461766df6e79e458980e1d5915392af9a
                                                            • Instruction Fuzzy Hash: C3118B75904280DFCB11CF14D5C4B15FBA1FB84224F28C6ADDD494B796C33AD45ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 0278E610, Relevance: .3, Instructions: 315COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.289707279.0000000002780000.00000040.00000001.sdmp, Offset: 02780000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2780000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 46f797c465c156b2a9b5758edf6d7839c878658541729ce9eb6ba8e5670770d0
                                                            • Instruction ID: d4d17bdf39e88029a9d26264bda0fff01be63a3bc4d327303fc0b913a60a839e
                                                            • Opcode Fuzzy Hash: 46f797c465c156b2a9b5758edf6d7839c878658541729ce9eb6ba8e5670770d0
                                                            • Instruction Fuzzy Hash: 5B12B4F5422746EAD310DF65F8F86A93BA1F795728B90420CD2612BBD0D7BC294ACF44
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0278C1B4, Relevance: .3, Instructions: 265COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.289707279.0000000002780000.00000040.00000001.sdmp, Offset: 02780000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2780000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5080590ef251d3c4b66567a1368b97fbc3e2decadf4bd34798f36eeb5e155a0b
                                                            • Instruction ID: adf8f0f14b6971d075d28b1d5d96e9a62401969522e7b678dd47a3650ade3c3f
                                                            • Opcode Fuzzy Hash: 5080590ef251d3c4b66567a1368b97fbc3e2decadf4bd34798f36eeb5e155a0b
                                                            • Instruction Fuzzy Hash: EFA16E32E40219CFCF1AEFB5C8449DEB7B2FF84700B15816AE805AB260EB75A905CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0278E600, Relevance: .2, Instructions: 222COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.289707279.0000000002780000.00000040.00000001.sdmp, Offset: 02780000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2780000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 565ecc2e3011a27a9b50383cbf3684ac7f0833259e7b4370dbfda562dc04ebc5
                                                            • Instruction ID: 0a37dbd7bf861a159d41ba10cf6de10b9611daba6f550a8775cb506d6bcca7eb
                                                            • Opcode Fuzzy Hash: 565ecc2e3011a27a9b50383cbf3684ac7f0833259e7b4370dbfda562dc04ebc5
                                                            • Instruction Fuzzy Hash: 9DC138B5922746EAD710DF65F8F82A93BA1FB85328F51420CD1612B7D0D7BC284ACF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Analysis Process: Shipping-Document.exe PID: 1488 Parent PID: 1364 Shipping-Document.exeCOMMON

                                                            Execution Graph

                                                            Execution Coverage:8.1%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:23
                                                            Total number of Limit Nodes:3

                                                            Graph

                                                            execution_graph 16455 697de00 GetCurrentProcess 16456 697de73 16455->16456 16457 697de7a GetCurrentThread 16455->16457 16456->16457 16458 697deb7 GetCurrentProcess 16457->16458 16459 697deb0 16457->16459 16460 697deee 16458->16460 16459->16458 16469 697bf44 16460->16469 16463 697df3c 16465 697df46 GetCurrentThreadId 16463->16465 16464 697dfe1 DuplicateHandle 16467 697e08e 16464->16467 16468 697df77 16465->16468 16470 697dff8 DuplicateHandle 16469->16470 16471 697df2a 16470->16471 16471->16463 16471->16464 16472 697b100 16473 697b144 SetWindowsHookExW 16472->16473 16475 697b18a 16473->16475 16476 69756f0 16477 6975736 KiUserCallbackDispatcher 16476->16477 16479 6975789 16477->16479 16451 527e328 16453 527e37b LoadLibraryA 16451->16453 16454 527e429 16453->16454

                                                            Executed Functions

                                                            Function 0697DE00, Relevance: 7.7, APIs: 5, Instructions: 206threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 0697DE60
                                                            • GetCurrentThread.KERNEL32 ref: 0697DE9D
                                                            • GetCurrentProcess.KERNEL32 ref: 0697DEDB
                                                            • GetCurrentThreadId.KERNEL32 ref: 0697DF64
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.493356847.0000000006970000.00000040.00000001.sdmp, Offset: 06970000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_6970000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 79ef04f4657f83bf7edd48a39477c26c73e750be3bfab43b04b60ebc20696d58
                                                            • Instruction ID: ebe4c7155710167ea31792601b8ba9c6c3a51fc893e179d6e0dfa542c8351182
                                                            • Opcode Fuzzy Hash: 79ef04f4657f83bf7edd48a39477c26c73e750be3bfab43b04b60ebc20696d58
                                                            • Instruction Fuzzy Hash: 769140B09043489FCB50DFA9E988B9EBBF5AF48314F20805AE419A7750DB34A948CF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0527E328, Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 41 527e328-527e387 43 527e3db-527e427 LoadLibraryA 41->43 44 527e389-527e3ae 41->44 48 527e430-527e461 43->48 49 527e429-527e42f 43->49 44->43 47 527e3b0-527e3b2 44->47 51 527e3d5-527e3d8 47->51 52 527e3b4-527e3be 47->52 53 527e463-527e467 48->53 54 527e471 48->54 49->48 51->43 55 527e3c2-527e3d1 52->55 56 527e3c0 52->56 53->54 58 527e469 53->58 55->55 59 527e3d3 55->59 56->55 58->54 59->51
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.489282099.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_5270000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 3d77de63c031533491413dd84e45a29debc9c28114b200bc1ae32402f6fee71e
                                                            • Instruction ID: 2f908c1d3fb71a6e6f93db79aa453f1b186822f7d36acfe2b8ac5ee3fe05ab4e
                                                            • Opcode Fuzzy Hash: 3d77de63c031533491413dd84e45a29debc9c28114b200bc1ae32402f6fee71e
                                                            • Instruction Fuzzy Hash: 99416970D106199FDB14CFA9D88579EBBF6FF48314F118129E819AB380D7B49885CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0697BF44, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 131 697bf44-697e08c DuplicateHandle 133 697e095-697e0b2 131->133 134 697e08e-697e094 131->134 134->133
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(00000000,00000000,069493D4,?,00000000,06975BAC,00000000,?,?,?,?,?,00000000), ref: 0697E07F
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.493356847.0000000006970000.00000040.00000001.sdmp, Offset: 06970000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_6970000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: d7e7d3a2f7ae7c25dbcca20636431e9dd2fa2d92e4384fda010df0db67e534f7
                                                            • Instruction ID: d8a21ec42d095326f0173a0c910d9a070a1f7d9330dd00500643143fec4fe43f
                                                            • Opcode Fuzzy Hash: d7e7d3a2f7ae7c25dbcca20636431e9dd2fa2d92e4384fda010df0db67e534f7
                                                            • Instruction Fuzzy Hash: CE2105B59042089FDB10CFA9D884ADEBBF8EB48310F14801AE915B3310D778A944CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 069756E0, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 137 69756e0-6975744 141 697574f-6975787 KiUserCallbackDispatcher 137->141 142 6975790-69757b6 141->142 143 6975789-697578f 141->143 143->142
                                                            APIs
                                                            • KiUserCallbackDispatcher.NTDLL(00000050), ref: 06975773
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.493356847.0000000006970000.00000040.00000001.sdmp, Offset: 06970000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_6970000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID: CallbackDispatcherUser
                                                            • String ID:
                                                            • API String ID: 2492992576-0
                                                            • Opcode ID: 2ef37a8033e5357ee41bd344fa5cd7100a03125be20e1fc7987422ef49905003
                                                            • Instruction ID: 951879d83295ef4c380c59bb257f8a1e7c598f8a455596729c67b575dc57438e
                                                            • Opcode Fuzzy Hash: 2ef37a8033e5357ee41bd344fa5cd7100a03125be20e1fc7987422ef49905003
                                                            • Instruction Fuzzy Hash: 7D217A71D053498FCB40DFA9E845AEEBBF4BB48324F14841AE419B7781DB786908CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0697B0F8, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 146 697b0f8-697b14a 149 697b156-697b188 SetWindowsHookExW 146->149 150 697b14c-697b154 146->150 151 697b191-697b1b6 149->151 152 697b18a-697b190 149->152 150->149 152->151
                                                            APIs
                                                            • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 0697B17B
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.493356847.0000000006970000.00000040.00000001.sdmp, Offset: 06970000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_6970000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID: HookWindows
                                                            • String ID:
                                                            • API String ID: 2559412058-0
                                                            • Opcode ID: d47dd0f9f13f3b07fc01cc4b5af5780bede406f61a11612d4c8e3d214d041ace
                                                            • Instruction ID: d0ef9f888bc32106800eab20ea4c387623621d507521c3053f5bcadc5ae87ddc
                                                            • Opcode Fuzzy Hash: d47dd0f9f13f3b07fc01cc4b5af5780bede406f61a11612d4c8e3d214d041ace
                                                            • Instruction Fuzzy Hash: 01213872D042089FCB50DF99D844BDEBBF5EB88314F148419D419A7750CB78A944CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0697B100, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 157 697b100-697b14a 159 697b156-697b188 SetWindowsHookExW 157->159 160 697b14c-697b154 157->160 161 697b191-697b1b6 159->161 162 697b18a-697b190 159->162 160->159 162->161
                                                            APIs
                                                            • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 0697B17B
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.493356847.0000000006970000.00000040.00000001.sdmp, Offset: 06970000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_6970000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID: HookWindows
                                                            • String ID:
                                                            • API String ID: 2559412058-0
                                                            • Opcode ID: 2f02ed5a2ab5c7f2c7107fa13c472690b78717f1eaaa0e0905bab1d68d701535
                                                            • Instruction ID: 739bf35708549fc66f197f4b90ff2da68d3130ce8d72c5d0a991b811b185a2c6
                                                            • Opcode Fuzzy Hash: 2f02ed5a2ab5c7f2c7107fa13c472690b78717f1eaaa0e0905bab1d68d701535
                                                            • Instruction Fuzzy Hash: 8C211571D042089FCB54DFA9D844BEEBBF5AB88314F148419D419A7650CB78A944CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 069756F0, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 167 69756f0-6975787 KiUserCallbackDispatcher 171 6975790-69757b6 167->171 172 6975789-697578f 167->172 172->171
                                                            APIs
                                                            • KiUserCallbackDispatcher.NTDLL(00000050), ref: 06975773
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.493356847.0000000006970000.00000040.00000001.sdmp, Offset: 06970000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_6970000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID: CallbackDispatcherUser
                                                            • String ID:
                                                            • API String ID: 2492992576-0
                                                            • Opcode ID: ac4a20b5a9cc444e15e61f62f384519774d0973c199da1c531386d93b02d4873
                                                            • Instruction ID: 2105c1ed6f5321b946a48dbad051c5a14b894f2ede83e6c10c6c89df0cbbb601
                                                            • Opcode Fuzzy Hash: ac4a20b5a9cc444e15e61f62f384519774d0973c199da1c531386d93b02d4873
                                                            • Instruction Fuzzy Hash: 73213875D04249CFCB40DFA9E8456EEBBF4BB48324F10841AD419B7780CB786944CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0156D4F0, Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.481647501.000000000156D000.00000040.00000001.sdmp, Offset: 0156D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_156d000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e661968b064024f8731be23b21bd01866ead79b32293257824e062ed73cac3b7
                                                            • Instruction ID: f3571d47e1c77a26db568c4f0bd2a75929731dad169f25a39121ac37b9d62203
                                                            • Opcode Fuzzy Hash: e661968b064024f8731be23b21bd01866ead79b32293257824e062ed73cac3b7
                                                            • Instruction Fuzzy Hash: 1F21F471604244DFDB11DF54D8C0B2ABFB9FB98318F248969E9454FA06C336D855CAE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0157D01C, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.481859474.000000000157D000.00000040.00000001.sdmp, Offset: 0157D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_157d000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7c5311368b94a9d18b3938b231124a154103bf695a20af6c51e77f3c617873a4
                                                            • Instruction ID: cf197d487385da1e6d31f3f4cfbcf622b03cffca86d8f57467da24432bf1cbf7
                                                            • Opcode Fuzzy Hash: 7c5311368b94a9d18b3938b231124a154103bf695a20af6c51e77f3c617873a4
                                                            • Instruction Fuzzy Hash: 82213471504244DFCB12DF54E8C4B2ABBB5FF84364F24C969E8490F242D33AD846CA62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0157D1CC, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.481859474.000000000157D000.00000040.00000001.sdmp, Offset: 0157D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_157d000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 419d1a38841ca8a1364228b175ad5284a9eb07033a6aebd00c329fba138c75ef
                                                            • Instruction ID: 6026ce22597c00cc77e4ea9f9b214724df2ff7d4df2b97daac7f6ceb5ab4f825
                                                            • Opcode Fuzzy Hash: 419d1a38841ca8a1364228b175ad5284a9eb07033a6aebd00c329fba138c75ef
                                                            • Instruction Fuzzy Hash: 592125B15082049FDB01DF94E8C0B2ABBB5FF84724F24C96DE8094F246C736D806CA61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0157D468, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.481859474.000000000157D000.00000040.00000001.sdmp, Offset: 0157D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_157d000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a592ddd277fae1869a9a8c315e7b438f91b15432569ca8bc64c7879d51524b2f
                                                            • Instruction ID: 3b1ab651fe4b7c897533a11294034223ecf7b96654762cfa09b1c1802257b155
                                                            • Opcode Fuzzy Hash: a592ddd277fae1869a9a8c315e7b438f91b15432569ca8bc64c7879d51524b2f
                                                            • Instruction Fuzzy Hash: 8121D371504244AFDB01CFA4E9C5B26BBB5FF84318F24C96DE9094F246C376E846CA61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0157D006, Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.481859474.000000000157D000.00000040.00000001.sdmp, Offset: 0157D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_157d000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 63ec26392e60db327f676a21b2dbaca352a99ad3d40265862590defa1c871748
                                                            • Instruction ID: 47247ab092698a3ae3c0ecfbe7317c8e2c6a22611f59f746abe0f344072d7ad9
                                                            • Opcode Fuzzy Hash: 63ec26392e60db327f676a21b2dbaca352a99ad3d40265862590defa1c871748
                                                            • Instruction Fuzzy Hash: E0217F755093808FCB138F24D990719BF71FF86224F29C19AD8488B657C33A980ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0156D4EB, Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.481647501.000000000156D000.00000040.00000001.sdmp, Offset: 0156D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_156d000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b0b404d9eecf1aa7ef9aea8b33e7c2e64b2c905fd441304741711280b6bf8a9a
                                                            • Instruction ID: 677b3de6ad7f594714c61fea6674dc55fe4193137922562260bf463d4d1cee9e
                                                            • Opcode Fuzzy Hash: b0b404d9eecf1aa7ef9aea8b33e7c2e64b2c905fd441304741711280b6bf8a9a
                                                            • Instruction Fuzzy Hash: 7411DF76504280CFCB12CF14D5C0B1ABF71FB94324F288AA9D8450B617C33AD45ACBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0157D1C7, Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.481859474.000000000157D000.00000040.00000001.sdmp, Offset: 0157D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_157d000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c40815aa96ad224e52f0cfc49c91d5d461766df6e79e458980e1d5915392af9a
                                                            • Instruction ID: 913cc08f11e687fc6af299d0b3de5081b533af2ab7acdaec41c14933b45dee90
                                                            • Opcode Fuzzy Hash: c40815aa96ad224e52f0cfc49c91d5d461766df6e79e458980e1d5915392af9a
                                                            • Instruction Fuzzy Hash: BC118B75904280DFDB12CF64E5C4B19BBB1FB84324F28C6A9D8494B656C33AD85ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0157D463, Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.481859474.000000000157D000.00000040.00000001.sdmp, Offset: 0157D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_157d000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c40815aa96ad224e52f0cfc49c91d5d461766df6e79e458980e1d5915392af9a
                                                            • Instruction ID: 209c0c48a06f88708e72682b513ded3891f475bdf18e5b51ab3a8d9aac8623ca
                                                            • Opcode Fuzzy Hash: c40815aa96ad224e52f0cfc49c91d5d461766df6e79e458980e1d5915392af9a
                                                            • Instruction Fuzzy Hash: 6D11BE75504280CFCB02CF64E5C4B19BB71FB84318F28C6A9D8094B657C33AD45ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05E8FB80, Relevance: .0, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.492117112.0000000005E80000.00000040.00000001.sdmp, Offset: 05E80000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_5e80000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 927d975556e8e1d510d2dd1777ce56eef7e5ba1e934aad71094dab3da5a5b3a6
                                                            • Instruction ID: cc3c475053003cd1164949676fa0ac87cce42e6355461e401e9227dfadf684fa
                                                            • Opcode Fuzzy Hash: 927d975556e8e1d510d2dd1777ce56eef7e5ba1e934aad71094dab3da5a5b3a6
                                                            • Instruction Fuzzy Hash: A9D0C9B6D1510CFF8B00DFE4C98549EB7FDDB05110B6045EA950DD7210EE325B146BD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05E8E748, Relevance: .0, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.492117112.0000000005E80000.00000040.00000001.sdmp, Offset: 05E80000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_5e80000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 70984e70eaa958501ee99fd424cd901529cfeb6ea53fadd160a58f6dbd7a2068
                                                            • Instruction ID: 18dc16494cddcbd3d9e7c16ac2810707b6593cf99182c0ecb618bd2004fcc622
                                                            • Opcode Fuzzy Hash: 70984e70eaa958501ee99fd424cd901529cfeb6ea53fadd160a58f6dbd7a2068
                                                            • Instruction Fuzzy Hash: 69D0C9B6D1510CAF4B01DFA8C94549EB7FDDB45210B1045EA9509D7210EE315B145BD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05E8FE10, Relevance: .0, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.492117112.0000000005E80000.00000040.00000001.sdmp, Offset: 05E80000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_5e80000_Shipping-Document.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bbc8ffcbba63281feba2cb4c3824dabace50dd7316da1b4d82722822e2b4f698
                                                            • Instruction ID: c7bb73b591864040a91b0d88f0d9d6bf33de220fbdd3a352ba8ff9727ca0ac72
                                                            • Opcode Fuzzy Hash: bbc8ffcbba63281feba2cb4c3824dabace50dd7316da1b4d82722822e2b4f698
                                                            • Instruction Fuzzy Hash: D4D0C9B2D2510CEF4B40DFA4C94549EBBFDDF45110B1041EA9909D7210EE315F149BD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Analysis Process: vlc.exe PID: 1748 Parent PID: 3388 vlc.exeCOMMON

                                                            Execution Graph

                                                            Execution Coverage:12.3%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:1.5%
                                                            Total number of Nodes:204
                                                            Total number of Limit Nodes:12

                                                            Graph

                                                            execution_graph 31082 176b730 31083 176b796 31082->31083 31087 176b8e2 31083->31087 31091 176b8f0 31083->31091 31084 176b845 31088 176b8f0 31087->31088 31094 176a154 31088->31094 31092 176a154 DuplicateHandle 31091->31092 31093 176b91e 31092->31093 31093->31084 31095 176b958 DuplicateHandle 31094->31095 31096 176b91e 31095->31096 31096->31084 31210 17640d0 31213 17640dc 31210->31213 31211 176413e 31213->31211 31215 1764211 31213->31215 31220 1763c64 31213->31220 31216 1764235 31215->31216 31224 1764310 31216->31224 31228 1764300 31216->31228 31221 1763c6f 31220->31221 31236 1765864 31221->31236 31223 1766a2d 31223->31213 31225 1764337 31224->31225 31226 1764414 31225->31226 31232 1763e40 31225->31232 31229 1764310 31228->31229 31230 1764414 31229->31230 31231 1763e40 CreateActCtxA 31229->31231 31230->31230 31231->31230 31233 17653a0 CreateActCtxA 31232->31233 31235 1765463 31233->31235 31237 176586f 31236->31237 31240 1765884 31237->31240 31239 1766ad5 31239->31223 31241 176588f 31240->31241 31244 17658b4 31241->31244 31243 1766bba 31243->31239 31245 17658bf 31244->31245 31248 17658e4 31245->31248 31247 1766caa 31247->31243 31250 17658ef 31248->31250 31249 17673fc 31249->31247 31250->31249 31253 176b468 31250->31253 31258 176b459 31250->31258 31254 176b489 31253->31254 31255 176b4ad 31254->31255 31263 176b618 31254->31263 31267 176b608 31254->31267 31255->31249 31259 176b468 31258->31259 31260 176b4ad 31259->31260 31261 176b618 5 API calls 31259->31261 31262 176b608 5 API calls 31259->31262 31260->31249 31261->31260 31262->31260 31264 176b625 31263->31264 31266 176b65f 31264->31266 31271 176a0cc 31264->31271 31266->31255 31268 176b618 31267->31268 31269 176a0cc 5 API calls 31268->31269 31270 176b65f 31268->31270 31269->31270 31270->31255 31272 176a0d7 31271->31272 31274 176c358 31272->31274 31275 176bef4 31272->31275 31274->31274 31276 176beff 31275->31276 31277 17658e4 5 API calls 31276->31277 31278 176c3c7 31277->31278 31279 176c3d5 31278->31279 31285 176c430 31278->31285 31289 176c440 31278->31289 31293 176e148 31279->31293 31301 176e138 31279->31301 31280 176c400 31280->31274 31286 176c46e 31285->31286 31287 176c53a KiUserCallbackDispatcher 31286->31287 31288 176c53f 31286->31288 31287->31288 31290 176c46e 31289->31290 31291 176c53f 31290->31291 31292 176c53a KiUserCallbackDispatcher 31290->31292 31292->31291 31294 176e149 31293->31294 31295 176e185 31294->31295 31296 176e1c5 31294->31296 31299 176e5b7 LoadLibraryExW GetModuleHandleW 31294->31299 31300 176e5c8 LoadLibraryExW GetModuleHandleW 31294->31300 31295->31280 31297 176ef90 CreateWindowExW 31296->31297 31298 176ef80 CreateWindowExW 31296->31298 31297->31295 31298->31295 31299->31296 31300->31296 31302 176e0f1 31301->31302 31303 176e13e 31301->31303 31304 176e185 31303->31304 31307 176e5b7 LoadLibraryExW GetModuleHandleW 31303->31307 31308 176e1c5 31303->31308 31309 176e5c8 LoadLibraryExW GetModuleHandleW 31303->31309 31304->31280 31305 176ef90 CreateWindowExW 31305->31304 31306 176ef80 CreateWindowExW 31306->31304 31307->31308 31308->31305 31308->31306 31309->31308 31097 8a43d29 31104 8a42580 31097->31104 31108 8a42579 31097->31108 31098 8a43388 31099 8a43196 31099->31098 31102 8a42330 ResumeThread 31099->31102 31103 8a42338 ResumeThread 31099->31103 31102->31099 31103->31099 31105 8a425c8 WriteProcessMemory 31104->31105 31107 8a4261f 31105->31107 31107->31099 31109 8a425c8 WriteProcessMemory 31108->31109 31111 8a4261f 31109->31111 31111->31099 31310 56c8541 FindCloseChangeNotification 31311 56c85af 31310->31311 31112 1769338 31113 1769339 31112->31113 31117 1769430 31113->31117 31125 176941f 31113->31125 31114 1769347 31118 1769431 31117->31118 31119 176945b 31118->31119 31133 17696b8 31118->31133 31137 17696a9 31118->31137 31119->31114 31120 1769453 31120->31119 31121 1769658 GetModuleHandleW 31120->31121 31122 1769685 31121->31122 31122->31114 31126 1769430 31125->31126 31128 176945b 31126->31128 31131 17696b8 LoadLibraryExW 31126->31131 31132 17696a9 LoadLibraryExW 31126->31132 31127 1769453 31127->31128 31129 1769658 GetModuleHandleW 31127->31129 31128->31114 31130 1769685 31129->31130 31130->31114 31131->31127 31132->31127 31134 17696cc 31133->31134 31136 17696f1 31134->31136 31141 17687a0 31134->31141 31136->31120 31139 17696b8 31137->31139 31138 17696f1 31138->31120 31139->31138 31140 17687a0 LoadLibraryExW 31139->31140 31140->31138 31142 1769898 LoadLibraryExW 31141->31142 31144 1769911 31142->31144 31144->31136 31145 8a43baa 31152 8a42670 31145->31152 31156 8a42669 31145->31156 31146 8a43388 31147 8a43196 31147->31146 31150 8a42330 ResumeThread 31147->31150 31151 8a42338 ResumeThread 31147->31151 31150->31147 31151->31147 31153 8a426bb ReadProcessMemory 31152->31153 31155 8a426ff 31153->31155 31155->31147 31157 8a426bb ReadProcessMemory 31156->31157 31159 8a426ff 31157->31159 31159->31147 31312 8a43594 31313 8a435aa 31312->31313 31320 8a444e0 31313->31320 31324 8a444d0 31313->31324 31314 8a43388 31314->31314 31315 8a43196 31315->31314 31318 8a42330 ResumeThread 31315->31318 31319 8a42338 ResumeThread 31315->31319 31318->31315 31319->31315 31328 8a424c0 31320->31328 31332 8a424b8 31320->31332 31321 8a444f7 31321->31315 31325 8a444f7 31324->31325 31326 8a424c0 VirtualAllocEx 31324->31326 31327 8a424b8 VirtualAllocEx 31324->31327 31325->31315 31326->31325 31327->31325 31329 8a42500 VirtualAllocEx 31328->31329 31331 8a4253d 31329->31331 31331->31321 31333 8a42500 VirtualAllocEx 31332->31333 31335 8a4253d 31333->31335 31335->31321 31336 8a437d7 31339 8a42580 WriteProcessMemory 31336->31339 31340 8a42579 WriteProcessMemory 31336->31340 31337 8a43388 31338 8a43196 31338->31337 31341 8a42330 ResumeThread 31338->31341 31342 8a42338 ResumeThread 31338->31342 31339->31338 31340->31338 31341->31338 31342->31338 31160 8a444b0 31164 8a423e0 31160->31164 31168 8a423e8 31160->31168 31161 8a444cc 31165 8a4242d GetThreadContext 31164->31165 31167 8a42475 31165->31167 31167->31161 31169 8a4242d GetThreadContext 31168->31169 31171 8a42475 31169->31171 31171->31161 31343 8a44dd0 31345 8a423e0 GetThreadContext 31343->31345 31346 8a423e8 GetThreadContext 31343->31346 31344 8a44dec 31345->31344 31346->31344 31172 8a436ff 31173 8a436d1 31172->31173 31174 8a43669 31173->31174 31175 8a436e6 31173->31175 31178 8a43196 31173->31178 31181 8a42580 WriteProcessMemory 31175->31181 31182 8a42579 WriteProcessMemory 31175->31182 31176 8a43842 31177 8a43388 31178->31177 31179 8a42330 ResumeThread 31178->31179 31180 8a42338 ResumeThread 31178->31180 31179->31178 31180->31178 31181->31176 31182->31176 31183 8a431b8 31190 8a4289c 31183->31190 31194 8a428a8 31183->31194 31191 8a42931 CreateProcessA 31190->31191 31193 8a42af3 31191->31193 31193->31193 31195 8a42931 CreateProcessA 31194->31195 31197 8a42af3 31195->31197 31197->31197 31198 8a44539 31202 8a44565 31198->31202 31206 8a44570 31198->31206 31199 8a44559 31204 8a445c9 GetUserNameA 31202->31204 31205 8a446ce 31204->31205 31208 8a445c9 GetUserNameA 31206->31208 31209 8a446ce 31208->31209

                                                            Executed Functions

                                                            Function 08A44570, Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 226 8a44570-8a445d7 228 8a44646-8a4464a 226->228 229 8a445d9-8a445fe 226->229 230 8a4464c-8a4468a 228->230 231 8a4468e-8a446cc GetUserNameA 228->231 235 8a44600-8a44602 229->235 236 8a4462e-8a44633 229->236 230->231 233 8a446d5-8a446f2 231->233 234 8a446ce-8a446d4 231->234 247 8a446f4-8a44700 233->247 248 8a44708-8a4472f 233->248 234->233 238 8a44624-8a4462c 235->238 239 8a44604-8a4460e 235->239 246 8a44635-8a44641 236->246 238->246 244 8a44610 239->244 245 8a44612-8a44620 239->245 244->245 245->245 250 8a44622 245->250 246->228 247->248 252 8a44731-8a44735 248->252 253 8a4473f 248->253 250->238 252->253 255 8a44737 252->255 257 8a44740 253->257 255->253 257->257
                                                            APIs
                                                            • GetUserNameA.ADVAPI32(00000000), ref: 08A446BC
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.408765229.0000000008A40000.00000040.00000001.sdmp, Offset: 08A40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_8a40000_vlc.jbxd
                                                            Similarity
                                                            • API ID: NameUser
                                                            • String ID:
                                                            • API String ID: 2645101109-0
                                                            • Opcode ID: c1efcb8c35cdf860bfd34828926bf76c1cb2414700601b50f8028beae122662c
                                                            • Instruction ID: 9e480007962127731c093ee3ead4d905a925e90aafc7500db584bbcb89fb6952
                                                            • Opcode Fuzzy Hash: c1efcb8c35cdf860bfd34828926bf76c1cb2414700601b50f8028beae122662c
                                                            • Instruction Fuzzy Hash: 84512370D012589FDB14CFA9C594B9EFBF1BF88305F258029D819AB790DB789846CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 08A4289C, Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 20 8a4289c-8a4293d 22 8a42976-8a42996 20->22 23 8a4293f-8a42949 20->23 30 8a429cf-8a429fe 22->30 31 8a42998-8a429a2 22->31 23->22 24 8a4294b-8a4294d 23->24 25 8a42970-8a42973 24->25 26 8a4294f-8a42959 24->26 25->22 28 8a4295d-8a4296c 26->28 29 8a4295b 26->29 28->28 32 8a4296e 28->32 29->28 37 8a42a37-8a42af1 CreateProcessA 30->37 38 8a42a00-8a42a0a 30->38 31->30 33 8a429a4-8a429a6 31->33 32->25 35 8a429a8-8a429b2 33->35 36 8a429c9-8a429cc 33->36 39 8a429b4 35->39 40 8a429b6-8a429c5 35->40 36->30 51 8a42af3-8a42af9 37->51 52 8a42afa-8a42b80 37->52 38->37 41 8a42a0c-8a42a0e 38->41 39->40 40->40 42 8a429c7 40->42 43 8a42a10-8a42a1a 41->43 44 8a42a31-8a42a34 41->44 42->36 46 8a42a1c 43->46 47 8a42a1e-8a42a2d 43->47 44->37 46->47 47->47 48 8a42a2f 47->48 48->44 51->52 62 8a42b90-8a42b94 52->62 63 8a42b82-8a42b86 52->63 65 8a42ba4-8a42ba8 62->65 66 8a42b96-8a42b9a 62->66 63->62 64 8a42b88 63->64 64->62 68 8a42bb8-8a42bbc 65->68 69 8a42baa-8a42bae 65->69 66->65 67 8a42b9c 66->67 67->65 71 8a42bce-8a42bd5 68->71 72 8a42bbe-8a42bc4 68->72 69->68 70 8a42bb0 69->70 70->68 73 8a42bd7-8a42be6 71->73 74 8a42bec 71->74 72->71 73->74 76 8a42bed 74->76 76->76
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08A42ADE
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.408765229.0000000008A40000.00000040.00000001.sdmp, Offset: 08A40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_8a40000_vlc.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: 607d2bacec681d2aea6406200dc6ffa1ef70f4f188af6ce3131522a9102a6465
                                                            • Instruction ID: b1f017b2ac2425c9944b945d42935aba6781a4c6bb2b2573899195788aa79c82
                                                            • Opcode Fuzzy Hash: 607d2bacec681d2aea6406200dc6ffa1ef70f4f188af6ce3131522a9102a6465
                                                            • Instruction Fuzzy Hash: 6EA19C71D00619DFDF20DF68C8807EDBBB2BF88305F1585A9E809A7640DB749986CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 08A428A8, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 77 8a428a8-8a4293d 79 8a42976-8a42996 77->79 80 8a4293f-8a42949 77->80 87 8a429cf-8a429fe 79->87 88 8a42998-8a429a2 79->88 80->79 81 8a4294b-8a4294d 80->81 82 8a42970-8a42973 81->82 83 8a4294f-8a42959 81->83 82->79 85 8a4295d-8a4296c 83->85 86 8a4295b 83->86 85->85 89 8a4296e 85->89 86->85 94 8a42a37-8a42af1 CreateProcessA 87->94 95 8a42a00-8a42a0a 87->95 88->87 90 8a429a4-8a429a6 88->90 89->82 92 8a429a8-8a429b2 90->92 93 8a429c9-8a429cc 90->93 96 8a429b4 92->96 97 8a429b6-8a429c5 92->97 93->87 108 8a42af3-8a42af9 94->108 109 8a42afa-8a42b80 94->109 95->94 98 8a42a0c-8a42a0e 95->98 96->97 97->97 99 8a429c7 97->99 100 8a42a10-8a42a1a 98->100 101 8a42a31-8a42a34 98->101 99->93 103 8a42a1c 100->103 104 8a42a1e-8a42a2d 100->104 101->94 103->104 104->104 105 8a42a2f 104->105 105->101 108->109 119 8a42b90-8a42b94 109->119 120 8a42b82-8a42b86 109->120 122 8a42ba4-8a42ba8 119->122 123 8a42b96-8a42b9a 119->123 120->119 121 8a42b88 120->121 121->119 125 8a42bb8-8a42bbc 122->125 126 8a42baa-8a42bae 122->126 123->122 124 8a42b9c 123->124 124->122 128 8a42bce-8a42bd5 125->128 129 8a42bbe-8a42bc4 125->129 126->125 127 8a42bb0 126->127 127->125 130 8a42bd7-8a42be6 128->130 131 8a42bec 128->131 129->128 130->131 133 8a42bed 131->133 133->133
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08A42ADE
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.408765229.0000000008A40000.00000040.00000001.sdmp, Offset: 08A40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_8a40000_vlc.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: 989fb11e8e5194262aad46d004efbd7c517e6120316d4c811c3bb29360479edc
                                                            • Instruction ID: 2eadc14c025022f1a5ab3c07b7e654325bb23116c04172f4dd2fdf81b403ccc5
                                                            • Opcode Fuzzy Hash: 989fb11e8e5194262aad46d004efbd7c517e6120316d4c811c3bb29360479edc
                                                            • Instruction Fuzzy Hash: DA918B71D00619CFDF20DF69C8807EDBBB2BF88315F1585A9E809A7640DB749986CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01769430, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 134 1769430-1769445 call 1767114 138 1769447 134->138 139 176945b-176945f 134->139 192 176944d call 17696b8 138->192 193 176944d call 17696a9 138->193 140 1769473-17694b4 139->140 141 1769461-176946b 139->141 146 17694b6-17694be 140->146 147 17694c1-17694cf 140->147 141->140 142 1769453-1769455 142->139 143 1769590-1769650 142->143 184 1769652-1769655 143->184 185 1769658-1769683 GetModuleHandleW 143->185 146->147 148 17694f3-17694f5 147->148 149 17694d1-17694d6 147->149 153 17694f8-17694ff 148->153 151 17694e1 149->151 152 17694d8-17694df call 1768748 149->152 156 17694e3-17694f1 151->156 152->156 157 1769501-1769509 153->157 158 176950c-1769513 153->158 156->153 157->158 160 1769515-176951d 158->160 161 1769520-1769529 call 1768758 158->161 160->161 165 1769536-176953b 161->165 166 176952b-1769533 161->166 168 176953d-1769544 165->168 169 1769559-176955d 165->169 166->165 168->169 170 1769546-1769556 call 1768768 call 1768778 168->170 189 1769560 call 17699c0 169->189 190 1769560 call 1769990 169->190 191 1769560 call 1769a1a 169->191 170->169 173 1769563-1769566 176 1769568-1769586 173->176 177 1769589-176958f 173->177 176->177 184->185 186 1769685-176968b 185->186 187 176968c-17696a0 185->187 186->187 189->173 190->173 191->173 192->142 193->142
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 01769676
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.395502813.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_1760000_vlc.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 89617af338c6accac960d8e2e2b111100b61b73a27d18e1541c82acee5416857
                                                            • Instruction ID: 41fb82385108d4a17f2238028268aea775cb261e8f24d644bf8ab1e9f87ba962
                                                            • Opcode Fuzzy Hash: 89617af338c6accac960d8e2e2b111100b61b73a27d18e1541c82acee5416857
                                                            • Instruction Fuzzy Hash: C0712370A00B058FD724DF6AD44475ABBF5BF88208F10892ED94ADBA50DB78E805CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 08A44565, Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 194 8a44565-8a445d7 196 8a44646-8a4464a 194->196 197 8a445d9-8a445fe 194->197 198 8a4464c-8a4468a 196->198 199 8a4468e-8a446cc GetUserNameA 196->199 203 8a44600-8a44602 197->203 204 8a4462e-8a44633 197->204 198->199 201 8a446d5-8a446f2 199->201 202 8a446ce-8a446d4 199->202 215 8a446f4-8a44700 201->215 216 8a44708-8a4472f 201->216 202->201 206 8a44624-8a4462c 203->206 207 8a44604-8a4460e 203->207 214 8a44635-8a44641 204->214 206->214 212 8a44610 207->212 213 8a44612-8a44620 207->213 212->213 213->213 218 8a44622 213->218 214->196 215->216 220 8a44731-8a44735 216->220 221 8a4473f 216->221 218->206 220->221 223 8a44737 220->223 225 8a44740 221->225 223->221 225->225
                                                            APIs
                                                            • GetUserNameA.ADVAPI32(00000000), ref: 08A446BC
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.408765229.0000000008A40000.00000040.00000001.sdmp, Offset: 08A40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_8a40000_vlc.jbxd
                                                            Similarity
                                                            • API ID: NameUser
                                                            • String ID:
                                                            • API String ID: 2645101109-0
                                                            • Opcode ID: b09fe9cb4ed0f2652646c63ec043cefc4117b33d16bad2ac050b32d1b7bd3f26
                                                            • Instruction ID: 219731a992de869a3b6adbd0a738539ad88cf50228216df1474682c4a6b0d28d
                                                            • Opcode Fuzzy Hash: b09fe9cb4ed0f2652646c63ec043cefc4117b33d16bad2ac050b32d1b7bd3f26
                                                            • Instruction Fuzzy Hash: A4512370D022588FDB14CFA9C994B9DFBF1BF88305F24802DD815AB791DB789846CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0176FD8C, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 258 176fd8c-176fdfe 259 176fe00-176fe06 258->259 260 176fe09-176fe10 258->260 259->260 261 176fe12-176fe18 260->261 262 176fe1b-176fe53 260->262 261->262 263 176fe5b-176feba CreateWindowExW 262->263 264 176fec3-176fefb 263->264 265 176febc-176fec2 263->265 269 176fefd-176ff00 264->269 270 176ff08 264->270 265->264 269->270 271 176ff09 270->271 271->271
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0176FEAA
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.395502813.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_1760000_vlc.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: aab9615410b44aaff60f3d2313338756d8db324183aee23013e5f961c8864e7f
                                                            • Instruction ID: 4cdb782d4ace509838726dce36967ba4ae48ac4bbad5a10dba1b69336be1a5f0
                                                            • Opcode Fuzzy Hash: aab9615410b44aaff60f3d2313338756d8db324183aee23013e5f961c8864e7f
                                                            • Instruction Fuzzy Hash: F351CEB1D103089FDB14CFA9D894ADEFFB5BF88314F24812AE819AB210D775A845CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0176DE5C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 272 176de5c-176fdfe 274 176fe00-176fe06 272->274 275 176fe09-176fe10 272->275 274->275 276 176fe12-176fe18 275->276 277 176fe1b-176feba CreateWindowExW 275->277 276->277 279 176fec3-176fefb 277->279 280 176febc-176fec2 277->280 284 176fefd-176ff00 279->284 285 176ff08 279->285 280->279 284->285 286 176ff09 285->286 286->286
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0176FEAA
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.395502813.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_1760000_vlc.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: 7139820ff744c8e0da29b01002bc22c194d51722e5c57d585ed099f6a47d2fc2
                                                            • Instruction ID: 88e00159c1f3d3b14e42a049ce91740fcdfcb0f726a22ca294b7a385aa32a3d3
                                                            • Opcode Fuzzy Hash: 7139820ff744c8e0da29b01002bc22c194d51722e5c57d585ed099f6a47d2fc2
                                                            • Instruction Fuzzy Hash: 3D51BEB1D103089FDB14CF99D894ADEFFB5BF88714F24812AE819AB210D775A885CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01765394, Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 287 1765394-176539e 288 17653a0-1765461 CreateActCtxA 287->288 290 1765463-1765469 288->290 291 176546a-17654c4 288->291 290->291 298 17654c6-17654c9 291->298 299 17654d3-17654d7 291->299 298->299 300 17654e8 299->300 301 17654d9-17654e5 299->301 303 17654e9 300->303 301->300 303->303
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 01765451
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.395502813.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_1760000_vlc.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 18b22045b4ea951e8e8b2459abf50f7278dfe31217086a7272fbf589f01e5945
                                                            • Instruction ID: d7d6e9c256db715e804159e856ddebd9f414b936ca5995b7b03a395a20b9be36
                                                            • Opcode Fuzzy Hash: 18b22045b4ea951e8e8b2459abf50f7278dfe31217086a7272fbf589f01e5945
                                                            • Instruction Fuzzy Hash: 9441F2B1E04618CFDB24CFA9C884B9DFBF5BF49305F21806AD408AB251DB796945CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01763E40, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 304 1763e40-1765461 CreateActCtxA 307 1765463-1765469 304->307 308 176546a-17654c4 304->308 307->308 315 17654c6-17654c9 308->315 316 17654d3-17654d7 308->316 315->316 317 17654e8 316->317 318 17654d9-17654e5 316->318 320 17654e9 317->320 318->317 320->320
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 01765451
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.395502813.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_1760000_vlc.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: ec04f6588858b5ae045a00f41400034c57af8dd2d96355ffbc2046333b0220a1
                                                            • Instruction ID: 6945473d9eda9181ee1bb3542f3c4c3c5ade9499bd867733d72f55daa09e1c18
                                                            • Opcode Fuzzy Hash: ec04f6588858b5ae045a00f41400034c57af8dd2d96355ffbc2046333b0220a1
                                                            • Instruction Fuzzy Hash: 1141D2B1E0461CCBDB24CFA9C94479DFBF5BF58304F218069D908AB251DB796945CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 08A42580, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 321 8a42580-8a425ce 323 8a425d0-8a425dc 321->323 324 8a425de-8a4261d WriteProcessMemory 321->324 323->324 326 8a42626-8a42656 324->326 327 8a4261f-8a42625 324->327 327->326
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08A42610
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.408765229.0000000008A40000.00000040.00000001.sdmp, Offset: 08A40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_8a40000_vlc.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 2b2608cb7cc76cdbcd5bdabde49c29a00feab71a18ebbcb708682533d40cd90a
                                                            • Instruction ID: 05ce6bc4f6a35daa5943edf9306fd0791e47e3cb5909f905e5e50eb76c9cbd5e
                                                            • Opcode Fuzzy Hash: 2b2608cb7cc76cdbcd5bdabde49c29a00feab71a18ebbcb708682533d40cd90a
                                                            • Instruction Fuzzy Hash: 622139719003499FCF10DFA9D8847EEBBF5FF88314F14842AE919A7640DB78A955CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 08A42579, Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 331 8a42579-8a425ce 333 8a425d0-8a425dc 331->333 334 8a425de-8a4261d WriteProcessMemory 331->334 333->334 336 8a42626-8a42656 334->336 337 8a4261f-8a42625 334->337 337->336
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08A42610
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.408765229.0000000008A40000.00000040.00000001.sdmp, Offset: 08A40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_8a40000_vlc.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 3b71b66204b02088ce57c280038b26d23a3d5ba92fef4a558aa7407d408f355b
                                                            • Instruction ID: febfaae14590bad927ac0a090a7bc17ff0e7ad05c17b77b0c8254fc477b784fd
                                                            • Opcode Fuzzy Hash: 3b71b66204b02088ce57c280038b26d23a3d5ba92fef4a558aa7407d408f355b
                                                            • Instruction Fuzzy Hash: 3C2115719003099FCF10CFA9D9857EEBBB5FF48314F14842AE919A7640DB789955CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 08A423E0, Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 353 8a423e0-8a42433 355 8a42435-8a42441 353->355 356 8a42443-8a42473 GetThreadContext 353->356 355->356 358 8a42475-8a4247b 356->358 359 8a4247c-8a424ac 356->359 358->359
                                                            APIs
                                                            • GetThreadContext.KERNELBASE(?,00000000), ref: 08A42466
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.408765229.0000000008A40000.00000040.00000001.sdmp, Offset: 08A40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_8a40000_vlc.jbxd
                                                            Similarity
                                                            • API ID: ContextThread
                                                            • String ID:
                                                            • API String ID: 1591575202-0
                                                            • Opcode ID: 76bf832d01e81aaed1d2b2c782a0fc8a0d2e20acdf2156d1dc8c7bc72ec2d2bd
                                                            • Instruction ID: d7adb96c05c99316af29709a75a42f3fef85646e0ab7a8c7ca22a88b7f12e4bf
                                                            • Opcode Fuzzy Hash: 76bf832d01e81aaed1d2b2c782a0fc8a0d2e20acdf2156d1dc8c7bc72ec2d2bd
                                                            • Instruction Fuzzy Hash: 8C212571D043088FCB10DFA9D5857EEBBF4AF88224F14842ED559A7640DB789949CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0176A154, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 341 176a154-176b9ec DuplicateHandle 343 176b9f5-176ba12 341->343 344 176b9ee-176b9f4 341->344 344->343
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0176B91E,?,?,?,?,?), ref: 0176B9DF
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.395502813.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_1760000_vlc.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 2947af80bd5a4ea67489754c1ebb0ed2c4afca3641af7db0f9db738e3c3d860f
                                                            • Instruction ID: 409162d3fd6e30b891a63aeef11e9931d88f33d52be2568d70320287d7df9a05
                                                            • Opcode Fuzzy Hash: 2947af80bd5a4ea67489754c1ebb0ed2c4afca3641af7db0f9db738e3c3d860f
                                                            • Instruction Fuzzy Hash: 1521E5B5904349DFDB10CF99D984ADEFBF8EB49320F14841AE915A3310D778A954CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0176B952, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 347 176b952-176b956 348 176b958-176b9ec DuplicateHandle 347->348 349 176b9f5-176ba12 348->349 350 176b9ee-176b9f4 348->350 350->349
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0176B91E,?,?,?,?,?), ref: 0176B9DF
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.395502813.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_1760000_vlc.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: ac905a7377e9b87aba3b61732325e932a261f1cdbcc940bc7889a6c09eb395a5
                                                            • Instruction ID: 0fe3ddc674f0c56fb0def1f2f528be7e364851b948888244cdd7e15fa53cf5b2
                                                            • Opcode Fuzzy Hash: ac905a7377e9b87aba3b61732325e932a261f1cdbcc940bc7889a6c09eb395a5
                                                            • Instruction Fuzzy Hash: 9821D6B59002189FDB10CF99D484AEEBBF8FB49320F14841AE914A7210D774A944CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 08A42670, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08A426F0
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.408765229.0000000008A40000.00000040.00000001.sdmp, Offset: 08A40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_8a40000_vlc.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: 295ad156223ff22b94c881ad58d001f116aeba9869b665f375cdf34b54d7138e
                                                            • Instruction ID: 5cea322cac5b4c1c5886801346f60e3d9261803dc62bbd5b7d7f537de6f03e0a
                                                            • Opcode Fuzzy Hash: 295ad156223ff22b94c881ad58d001f116aeba9869b665f375cdf34b54d7138e
                                                            • Instruction Fuzzy Hash: E42114719003499FCF10DFAAD880BEEBBB5FF88314F15842AE519A7640DB789944CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 08A423E8, Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetThreadContext.KERNELBASE(?,00000000), ref: 08A42466
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.408765229.0000000008A40000.00000040.00000001.sdmp, Offset: 08A40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_8a40000_vlc.jbxd
                                                            Similarity
                                                            • API ID: ContextThread
                                                            • String ID:
                                                            • API String ID: 1591575202-0
                                                            • Opcode ID: e03ebf93e39531ca7210e9686c23fb70edb6d1556d59ccbb520621e844d190c8
                                                            • Instruction ID: 60ecac067ad8439854935190d8da32549e3e7578394356cec52c45554d0a2193
                                                            • Opcode Fuzzy Hash: e03ebf93e39531ca7210e9686c23fb70edb6d1556d59ccbb520621e844d190c8
                                                            • Instruction Fuzzy Hash: A82107719043099FCB10DFAAD4847EEBBF4EF88224F14842AE519A7640DB78A945CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 08A42669, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08A426F0
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.408765229.0000000008A40000.00000040.00000001.sdmp, Offset: 08A40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_8a40000_vlc.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: 2f0daaea1d2abd6de306b5b6572e25df62b2675a2f8db16b4a4b10bbf08b2672
                                                            • Instruction ID: 4a349715d4975a9ace5f33cbc0aa9c0e01f4115d94a2c5aceffa46584a5a9341
                                                            • Opcode Fuzzy Hash: 2f0daaea1d2abd6de306b5b6572e25df62b2675a2f8db16b4a4b10bbf08b2672
                                                            • Instruction Fuzzy Hash: DD2103B1D002499FCF00CFA9D9807EEBBB5FF48314F15842AE529A7640DB7899558BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 08A424B8, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08A4252E
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.408765229.0000000008A40000.00000040.00000001.sdmp, Offset: 08A40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_8a40000_vlc.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: e7cedaa1ca78148718aa41c9104fe3ac3b64952c077d6f765f6a95981e6e1edf
                                                            • Instruction ID: fc896e6a9c12ee57aae5221a098c5cbd89ec26c5641533d71b544fed5de3eae6
                                                            • Opcode Fuzzy Hash: e7cedaa1ca78148718aa41c9104fe3ac3b64952c077d6f765f6a95981e6e1edf
                                                            • Instruction Fuzzy Hash: 491167729042489FCF10CFA9D8447EFBBF5EF88324F24841AE529A7650CB799945CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 017687A0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,017696F1,00000800,00000000,00000000), ref: 01769902
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.395502813.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_1760000_vlc.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 775ffee437209eced9caa1e236520527759d9a4593bda333aa4d1b782e9f58f8
                                                            • Instruction ID: 0114ff2b7fea9fcec3a4f0cd941ea0c6fd94a7295313e4a25b1b6dc50253f4de
                                                            • Opcode Fuzzy Hash: 775ffee437209eced9caa1e236520527759d9a4593bda333aa4d1b782e9f58f8
                                                            • Instruction Fuzzy Hash: 181117B69043099FDB10CF9AD444ADEFBF8EB98314F10842ED919A7200C779A945CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 08A424C0, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08A4252E
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.408765229.0000000008A40000.00000040.00000001.sdmp, Offset: 08A40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_8a40000_vlc.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: f15f1c82e929bff8e37ddd9c5eb8b939abe5715a8e7b0a2acbec1497a18119f6
                                                            • Instruction ID: 14b7a2899349e994af80541346016e4065dc0ac33fee647b44d60a8aa74ee7d9
                                                            • Opcode Fuzzy Hash: f15f1c82e929bff8e37ddd9c5eb8b939abe5715a8e7b0a2acbec1497a18119f6
                                                            • Instruction Fuzzy Hash: 1F1156729042089BCF10DFA9D8447EEBBF5AB88324F248419E529A7650CB79A944CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01769891, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,017696F1,00000800,00000000,00000000), ref: 01769902
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.395502813.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_1760000_vlc.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: cda25a2e55cddc5d532e0dd75cc2186e238998d5120e5b6133c795927557d266
                                                            • Instruction ID: 0fdf6f0544530bd812e6b82481cc34efd975dd2b6500e26f307d127e6a60de19
                                                            • Opcode Fuzzy Hash: cda25a2e55cddc5d532e0dd75cc2186e238998d5120e5b6133c795927557d266
                                                            • Instruction Fuzzy Hash: 2E11D6B69003098FDB14CF9AD884ADEFBF4BB98314F15842ED515A7600C779A545CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 08A42330, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.408765229.0000000008A40000.00000040.00000001.sdmp, Offset: 08A40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_8a40000_vlc.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: 7d08b3f9ed0276fdb7d2525c22c9c3d2c391f45016659af3421d01de392b13e7
                                                            • Instruction ID: 1491ebf7d00ab5f76baf6fdb011db30c1d53d09ad704c314ed664830efad3540
                                                            • Opcode Fuzzy Hash: 7d08b3f9ed0276fdb7d2525c22c9c3d2c391f45016659af3421d01de392b13e7
                                                            • Instruction Fuzzy Hash: 071146B1D046488FDB10DFA9D8447EEBBF4EB88314F24881AD519A7640CB79A945CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 056C6D3C, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,056C83F9,?,?), ref: 056C85A0
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.402739286.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_56c0000_vlc.jbxd
                                                            Similarity
                                                            • API ID: ChangeCloseFindNotification
                                                            • String ID:
                                                            • API String ID: 2591292051-0
                                                            • Opcode ID: 5f7aa4e9b17aae74cdfd4cadfd9bf90b9365bdba71b19d5dbe7e3d70c14e57f3
                                                            • Instruction ID: c59b7a2fa942bc476f4e0be4887e73534c82c16de86e453dbdee95262da0ab68
                                                            • Opcode Fuzzy Hash: 5f7aa4e9b17aae74cdfd4cadfd9bf90b9365bdba71b19d5dbe7e3d70c14e57f3
                                                            • Instruction Fuzzy Hash: 891128B18047098FCB20DF99D5857EEBBF4EB88320F10845AD559A7740D778A944CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 08A42338, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.408765229.0000000008A40000.00000040.00000001.sdmp, Offset: 08A40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_8a40000_vlc.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: e834248cb99fd36b00096fc45650113c0456740f7e3327fd8ed6c752bfe3b87d
                                                            • Instruction ID: f0ec0bf2690368a5f80fc45be895cc5d2d634879450202b0289b4f34a8cf4d6e
                                                            • Opcode Fuzzy Hash: e834248cb99fd36b00096fc45650113c0456740f7e3327fd8ed6c752bfe3b87d
                                                            • Instruction Fuzzy Hash: 35113A71D043488BCB10DFAAD4447DEFBF4AF88224F248419D519A7640CB79A944CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01769610, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 01769676
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.395502813.0000000001760000.00000040.00000001.sdmp, Offset: 01760000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_1760000_vlc.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 19dfd17a09ff3e69ff955b566597e6843d27ed67351b72ee57aaff409484a161
                                                            • Instruction ID: 8223268c5e4aa359276f8a2bce86328c00d0dcc5ad22c18af840fa54edeaff1b
                                                            • Opcode Fuzzy Hash: 19dfd17a09ff3e69ff955b566597e6843d27ed67351b72ee57aaff409484a161
                                                            • Instruction Fuzzy Hash: 1C1102B1C007498FDB10CF9AD444ADEFBF8AB88324F10851AD929B7610C379A545CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 056C8541, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,056C83F9,?,?), ref: 056C85A0
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.402739286.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_56c0000_vlc.jbxd
                                                            Similarity
                                                            • API ID: ChangeCloseFindNotification
                                                            • String ID:
                                                            • API String ID: 2591292051-0
                                                            • Opcode ID: 39a7b4ec4c821c268da7e83c576df4dd69b43e4f6d7bfcc6d345f62cd12e7121
                                                            • Instruction ID: 120f47c55cf94c2f56bba7a5abe68a0eabf44152a0e91b565cd9b79753cc10e3
                                                            • Opcode Fuzzy Hash: 39a7b4ec4c821c268da7e83c576df4dd69b43e4f6d7bfcc6d345f62cd12e7121
                                                            • Instruction Fuzzy Hash: 831122B68003098FCB20CF99D5857EEBBF4EF48320F24841AD869A7740D778A584CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0162D4C4, Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.395016047.000000000162D000.00000040.00000001.sdmp, Offset: 0162D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_162d000_vlc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 12c4e093c4b1e557a2b865c9c4d4d9af7648f14a2a05f4c1f973a963074b3da8
                                                            • Instruction ID: a3a75b5acb133af68c8adf5f6927955f775f5d880d9aac1b518a68446e751d55
                                                            • Opcode Fuzzy Hash: 12c4e093c4b1e557a2b865c9c4d4d9af7648f14a2a05f4c1f973a963074b3da8
                                                            • Instruction Fuzzy Hash: 592103B1504640DFDB01DF54DCC0B26BFA5FB88328F24C569E9055B706C376E856CAA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0163D1D4, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.395117370.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_163d000_vlc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 64c754ed174995c2d9ab7cbc9ba103b35ca47e842c52c7f36ce2ca8932851595
                                                            • Instruction ID: 9a38c8faafc5e881106b3ecf15fa7144dcb556ed739c9f92ddf615f1a2de8e72
                                                            • Opcode Fuzzy Hash: 64c754ed174995c2d9ab7cbc9ba103b35ca47e842c52c7f36ce2ca8932851595
                                                            • Instruction Fuzzy Hash: 7B212571504200EFDB01CF94DDC0B26BBA5FBC4324F20C56DEA094B346C736D806CA61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0163D01C, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.395117370.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_163d000_vlc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3da277bef356453890ef228cbfb206c7537c627ff747b12ff4580cdbdd703946
                                                            • Instruction ID: dd4643d1a3e962e37c7c79d2438208e26d11c90ec657dba6cbc7858d4f439da0
                                                            • Opcode Fuzzy Hash: 3da277bef356453890ef228cbfb206c7537c627ff747b12ff4580cdbdd703946
                                                            • Instruction Fuzzy Hash: 8D2100B1608240DFCB11CFA4DCC0B26FBA5FB88A54F60C969E80A4B346C336D847CA61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0162D4BF, Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.395016047.000000000162D000.00000040.00000001.sdmp, Offset: 0162D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_162d000_vlc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b0b404d9eecf1aa7ef9aea8b33e7c2e64b2c905fd441304741711280b6bf8a9a
                                                            • Instruction ID: a496d5b889200a6665c244d5f0ecd8d5c2c00bac2d790f269aa35eae09bc69be
                                                            • Opcode Fuzzy Hash: b0b404d9eecf1aa7ef9aea8b33e7c2e64b2c905fd441304741711280b6bf8a9a
                                                            • Instruction Fuzzy Hash: E711DF72404680CFCB02CF14D9C0B16BF71FB84324F24C6A9D8041B616C336D45ACBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0163D017, Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.395117370.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_163d000_vlc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c40815aa96ad224e52f0cfc49c91d5d461766df6e79e458980e1d5915392af9a
                                                            • Instruction ID: 759b1c1bd9f5073512dd87a32e5998161ef03c990a7ad272967cc1a21633b093
                                                            • Opcode Fuzzy Hash: c40815aa96ad224e52f0cfc49c91d5d461766df6e79e458980e1d5915392af9a
                                                            • Instruction Fuzzy Hash: 4F11BE75504280CFCB12CF54D9C4B15FBA1FB84714F24C6A9D8494B756C33AD45ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0163D1CF, Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.395117370.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_163d000_vlc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c40815aa96ad224e52f0cfc49c91d5d461766df6e79e458980e1d5915392af9a
                                                            • Instruction ID: 15aa2c291d14889c2b211ccc863f54d9566dbe686ee24c1208094763a026fbed
                                                            • Opcode Fuzzy Hash: c40815aa96ad224e52f0cfc49c91d5d461766df6e79e458980e1d5915392af9a
                                                            • Instruction Fuzzy Hash: 4411BB75904280DFCB02CF54D9C0B15FBA1FB84224F28C6A9D9494B756C33AD45ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Analysis Process: vlc.exe PID: 3440 Parent PID: 3388 vlc.exeCOMMON

                                                            Execution Graph

                                                            Execution Coverage:10.5%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:213
                                                            Total number of Limit Nodes:14

                                                            Graph

                                                            execution_graph 19622 69831b8 19626 69828a8 19622->19626 19630 698289c 19622->19630 19627 6982931 CreateProcessA 19626->19627 19629 6982af3 19627->19629 19631 6982931 CreateProcessA 19630->19631 19633 6982af3 19631->19633 19634 6984539 19638 6984570 19634->19638 19642 6984565 19634->19642 19635 6984559 19640 69845c9 GetUserNameA 19638->19640 19641 69846ce 19640->19641 19644 69845c9 GetUserNameA 19642->19644 19645 69846ce 19644->19645 19666 6983d29 19667 69831ff 19666->19667 19668 698257a WriteProcessMemory 19666->19668 19669 6982580 WriteProcessMemory 19666->19669 19668->19667 19669->19667 19670 6983baa 19674 6982669 19670->19674 19678 6982670 19670->19678 19671 69831ff 19675 69826bb ReadProcessMemory 19674->19675 19677 69826ff 19675->19677 19677->19671 19679 69826bb ReadProcessMemory 19678->19679 19681 69826ff 19679->19681 19681->19671 19540 a5b730 19541 a5b796 19540->19541 19545 a5b8f0 19541->19545 19548 a5b8e3 19541->19548 19542 a5b845 19546 a5b91e 19545->19546 19551 a5a154 19545->19551 19546->19542 19549 a5a154 DuplicateHandle 19548->19549 19550 a5b91e 19549->19550 19550->19542 19552 a5b958 DuplicateHandle 19551->19552 19553 a5b9ee 19552->19553 19553->19546 19554 698354d 19555 698359e 19554->19555 19556 6983550 19554->19556 19557 69831ff 19555->19557 19565 69844b0 19555->19565 19571 69844e0 19555->19571 19556->19555 19556->19557 19558 69836eb 19556->19558 19559 69836f5 19558->19559 19563 698257a WriteProcessMemory 19558->19563 19564 6982580 WriteProcessMemory 19558->19564 19560 6983842 19563->19560 19564->19560 19566 69844f9 19565->19566 19567 69844be 19565->19567 19566->19557 19567->19566 19575 69824b8 19567->19575 19579 69824c0 19567->19579 19568 69844f7 19568->19557 19572 69844f7 19571->19572 19573 69824b8 VirtualAllocEx 19571->19573 19574 69824c0 VirtualAllocEx 19571->19574 19572->19557 19573->19572 19574->19572 19576 6982500 VirtualAllocEx 19575->19576 19578 698253d 19576->19578 19578->19568 19580 6982500 VirtualAllocEx 19579->19580 19582 698253d 19580->19582 19582->19568 19682 a540d0 19685 a540dc 19682->19685 19683 a5413e 19685->19683 19687 a54211 19685->19687 19692 a53c64 19685->19692 19688 a54235 19687->19688 19696 a54300 19688->19696 19700 a54310 19688->19700 19693 a53c6f 19692->19693 19695 a56a2d 19693->19695 19708 a55864 19693->19708 19695->19685 19697 a54337 19696->19697 19699 a54414 19697->19699 19704 a53e40 19697->19704 19701 a54337 19700->19701 19702 a54414 19701->19702 19703 a53e40 CreateActCtxA 19701->19703 19702->19702 19703->19702 19705 a553a0 CreateActCtxA 19704->19705 19707 a55463 19705->19707 19709 a5586f 19708->19709 19712 a55884 19709->19712 19711 a56ad5 19711->19695 19713 a5588f 19712->19713 19715 a56bba 19713->19715 19716 a558b4 19713->19716 19715->19711 19717 a558bf 19716->19717 19720 a558e4 19717->19720 19719 a56caa 19719->19715 19721 a558ef 19720->19721 19723 a57169 19721->19723 19727 a57408 19721->19727 19722 a573fc 19722->19719 19723->19722 19732 a5b468 19723->19732 19738 a5b459 19723->19738 19728 a573b1 19727->19728 19728->19723 19729 a573fc 19728->19729 19730 a5b459 5 API calls 19728->19730 19731 a5b468 5 API calls 19728->19731 19729->19723 19730->19729 19731->19729 19734 a5b489 19732->19734 19733 a5b4ad 19733->19722 19734->19733 19744 a5b5d5 19734->19744 19749 a5b618 19734->19749 19753 a5b608 19734->19753 19739 a5b489 19738->19739 19740 a5b4ad 19739->19740 19741 a5b5d5 5 API calls 19739->19741 19742 a5b608 5 API calls 19739->19742 19743 a5b618 5 API calls 19739->19743 19740->19722 19741->19740 19742->19740 19743->19740 19745 a5b633 19744->19745 19746 a5b5eb 19744->19746 19747 a5b65f 19745->19747 19757 a5a0cc 19745->19757 19746->19733 19747->19733 19750 a5b625 19749->19750 19751 a5b65f 19750->19751 19752 a5a0cc 5 API calls 19750->19752 19751->19733 19752->19751 19754 a5b625 19753->19754 19755 a5b65f 19754->19755 19756 a5a0cc 5 API calls 19754->19756 19755->19733 19756->19755 19758 a5a0d7 19757->19758 19760 a5c358 19758->19760 19761 a5bef4 19758->19761 19760->19760 19762 a5beff 19761->19762 19763 a5c3c7 19762->19763 19764 a558e4 5 API calls 19762->19764 19768 a5c3d5 19763->19768 19771 a5c430 19763->19771 19775 a5c440 19763->19775 19764->19763 19765 a5c400 19765->19760 19779 a5e138 19768->19779 19788 a5e148 19768->19788 19772 a5c46e 19771->19772 19773 a5c53a KiUserCallbackDispatcher 19772->19773 19774 a5c53f 19772->19774 19773->19774 19776 a5c46e 19775->19776 19777 a5c53a KiUserCallbackDispatcher 19776->19777 19778 a5c53f 19776->19778 19777->19778 19781 a5e179 19779->19781 19782 a5e26a 19779->19782 19780 a5e185 19780->19765 19781->19780 19783 a5e1c5 19781->19783 19784 a5e5b7 LoadLibraryExW GetModuleHandleW 19781->19784 19785 a5e5c8 LoadLibraryExW GetModuleHandleW 19781->19785 19782->19765 19786 a5ef80 CreateWindowExW 19783->19786 19787 a5ef90 CreateWindowExW 19783->19787 19784->19783 19785->19783 19786->19782 19787->19782 19790 a5e26a 19788->19790 19791 a5e179 19788->19791 19789 a5e185 19789->19765 19790->19765 19791->19789 19792 a5e5b7 LoadLibraryExW GetModuleHandleW 19791->19792 19793 a5e1c5 19791->19793 19794 a5e5c8 LoadLibraryExW GetModuleHandleW 19791->19794 19792->19793 19795 a5ef80 CreateWindowExW 19793->19795 19796 a5ef90 CreateWindowExW 19793->19796 19794->19793 19795->19790 19796->19790 19797 6984de0 19800 69823e0 2 API calls 19797->19800 19801 69823e8 19797->19801 19798 6984dec 19800->19798 19802 698242d GetThreadContext 19801->19802 19804 6982475 19802->19804 19804->19798 19646 69838b3 19647 6983196 19646->19647 19647->19646 19648 69831ff 19647->19648 19652 6982338 19647->19652 19656 6982330 19647->19656 19660 69823e0 19647->19660 19653 6982378 ResumeThread 19652->19653 19655 69823a9 19653->19655 19655->19647 19657 6982378 ResumeThread 19656->19657 19659 69823a9 19657->19659 19659->19647 19661 698238a ResumeThread 19660->19661 19662 69823e6 GetThreadContext 19660->19662 19663 69823a9 19661->19663 19665 6982475 19662->19665 19663->19647 19665->19647 19583 a59338 19584 a59347 19583->19584 19587 a59430 19583->19587 19596 a5941f 19583->19596 19588 a59443 19587->19588 19589 a5945b 19588->19589 19605 a5970c 19588->19605 19610 a596b8 19588->19610 19614 a596a9 19588->19614 19589->19584 19590 a59453 19590->19589 19591 a59658 GetModuleHandleW 19590->19591 19592 a59685 19591->19592 19592->19584 19597 a59443 19596->19597 19599 a5945b 19597->19599 19602 a5970c LoadLibraryExW 19597->19602 19603 a596a9 LoadLibraryExW 19597->19603 19604 a596b8 LoadLibraryExW 19597->19604 19598 a59453 19598->19599 19600 a59658 GetModuleHandleW 19598->19600 19599->19584 19601 a59685 19600->19601 19601->19584 19602->19598 19603->19598 19604->19598 19606 a596ba 19605->19606 19609 a59717 19605->19609 19607 a596f1 19606->19607 19618 a587a0 19606->19618 19607->19590 19611 a596cc 19610->19611 19612 a587a0 LoadLibraryExW 19611->19612 19613 a596f1 19611->19613 19612->19613 19613->19590 19615 a596cc 19614->19615 19616 a587a0 LoadLibraryExW 19615->19616 19617 a596f1 19615->19617 19616->19617 19617->19590 19619 a59898 LoadLibraryExW 19618->19619 19621 a59911 19619->19621 19621->19607 19528 69837d7 19532 698257a 19528->19532 19536 6982580 19528->19536 19529 69831ff 19533 69825c8 WriteProcessMemory 19532->19533 19535 698261f 19533->19535 19535->19529 19537 69825c8 WriteProcessMemory 19536->19537 19539 698261f 19537->19539 19539->19529

                                                            Executed Functions

                                                            Function 069823E0, Relevance: 3.1, APIs: 2, Instructions: 89threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • ResumeThread.KERNELBASE ref: 0698239A
                                                            • GetThreadContext.KERNELBASE(?,00000000), ref: 06982466
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.431877491.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6980000_vlc.jbxd
                                                            Similarity
                                                            • API ID: Thread$ContextResume
                                                            • String ID:
                                                            • API String ID: 909585217-0
                                                            • Opcode ID: bc350f085e03c134a34369a612e64f280fe8247d7348995992202bbbce416b5c
                                                            • Instruction ID: 0a5f13eedcc6c5598ae7f2f09fc32316b736a9fdd17503c704141a2e5a2c1cb4
                                                            • Opcode Fuzzy Hash: bc350f085e03c134a34369a612e64f280fe8247d7348995992202bbbce416b5c
                                                            • Instruction Fuzzy Hash: 1A316D71D043098FCB10DFA9E4847EEBBF5AF48314F25842AD559A7640CB789A48CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0698289C, Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 696 698289c-698293d 698 698293f-6982949 696->698 699 6982976-6982996 696->699 698->699 700 698294b-698294d 698->700 706 6982998-69829a2 699->706 707 69829cf-69829fe 699->707 701 698294f-6982959 700->701 702 6982970-6982973 700->702 704 698295b 701->704 705 698295d-698296c 701->705 702->699 704->705 705->705 708 698296e 705->708 706->707 709 69829a4-69829a6 706->709 713 6982a00-6982a0a 707->713 714 6982a37-6982af1 CreateProcessA 707->714 708->702 711 69829a8-69829b2 709->711 712 69829c9-69829cc 709->712 715 69829b4 711->715 716 69829b6-69829c5 711->716 712->707 713->714 718 6982a0c-6982a0e 713->718 727 6982afa-6982b80 714->727 728 6982af3-6982af9 714->728 715->716 716->716 717 69829c7 716->717 717->712 719 6982a10-6982a1a 718->719 720 6982a31-6982a34 718->720 722 6982a1c 719->722 723 6982a1e-6982a2d 719->723 720->714 722->723 723->723 725 6982a2f 723->725 725->720 738 6982b90-6982b94 727->738 739 6982b82-6982b86 727->739 728->727 741 6982ba4-6982ba8 738->741 742 6982b96-6982b9a 738->742 739->738 740 6982b88 739->740 740->738 744 6982bb8-6982bbc 741->744 745 6982baa-6982bae 741->745 742->741 743 6982b9c 742->743 743->741 746 6982bce-6982bd5 744->746 747 6982bbe-6982bc4 744->747 745->744 748 6982bb0 745->748 749 6982bec 746->749 750 6982bd7-6982be6 746->750 747->746 748->744 752 6982bed 749->752 750->749 752->752
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06982ADE
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.431877491.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6980000_vlc.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: 7afebe3e9daf2539e1085d83b7bd50a0c382f8d838474a30ab7fa15ec693dc2f
                                                            • Instruction ID: 3699acae6bb940ea3102b8332d9d516473cf03ba23746eaeb19b4c3c373ab7a6
                                                            • Opcode Fuzzy Hash: 7afebe3e9daf2539e1085d83b7bd50a0c382f8d838474a30ab7fa15ec693dc2f
                                                            • Instruction Fuzzy Hash: 41A18E71E00219CFDB60DF68CD80BEDBBB2BF48314F158569D809A7680DB799A85CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 069828A8, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 753 69828a8-698293d 755 698293f-6982949 753->755 756 6982976-6982996 753->756 755->756 757 698294b-698294d 755->757 763 6982998-69829a2 756->763 764 69829cf-69829fe 756->764 758 698294f-6982959 757->758 759 6982970-6982973 757->759 761 698295b 758->761 762 698295d-698296c 758->762 759->756 761->762 762->762 765 698296e 762->765 763->764 766 69829a4-69829a6 763->766 770 6982a00-6982a0a 764->770 771 6982a37-6982af1 CreateProcessA 764->771 765->759 768 69829a8-69829b2 766->768 769 69829c9-69829cc 766->769 772 69829b4 768->772 773 69829b6-69829c5 768->773 769->764 770->771 775 6982a0c-6982a0e 770->775 784 6982afa-6982b80 771->784 785 6982af3-6982af9 771->785 772->773 773->773 774 69829c7 773->774 774->769 776 6982a10-6982a1a 775->776 777 6982a31-6982a34 775->777 779 6982a1c 776->779 780 6982a1e-6982a2d 776->780 777->771 779->780 780->780 782 6982a2f 780->782 782->777 795 6982b90-6982b94 784->795 796 6982b82-6982b86 784->796 785->784 798 6982ba4-6982ba8 795->798 799 6982b96-6982b9a 795->799 796->795 797 6982b88 796->797 797->795 801 6982bb8-6982bbc 798->801 802 6982baa-6982bae 798->802 799->798 800 6982b9c 799->800 800->798 803 6982bce-6982bd5 801->803 804 6982bbe-6982bc4 801->804 802->801 805 6982bb0 802->805 806 6982bec 803->806 807 6982bd7-6982be6 803->807 804->803 805->801 809 6982bed 806->809 807->806 809->809
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06982ADE
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.431877491.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6980000_vlc.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: c75a9b09f100d5743ece5ddf02b5a5d5ff10780c40cfd444f5028fa76286ac8d
                                                            • Instruction ID: dc852a4cb3dcda254bcf86a2cb419345f119753bed4b3e6afbc98d791824fd7d
                                                            • Opcode Fuzzy Hash: c75a9b09f100d5743ece5ddf02b5a5d5ff10780c40cfd444f5028fa76286ac8d
                                                            • Instruction Fuzzy Hash: 11919C31E00219CFDB60DF68C880BEDBBB2BF48314F158569D809A7680DB799A85CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00A59430, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 810 a59430-a59445 call a57114 813 a59447 810->813 814 a5945b-a5945f 810->814 863 a5944d call a5970c 813->863 864 a5944d call a596a9 813->864 865 a5944d call a596b8 813->865 815 a59461-a5946b 814->815 816 a59473-a594b4 814->816 815->816 821 a594b6-a594be 816->821 822 a594c1-a594cf 816->822 817 a59453-a59455 817->814 820 a59590-a59650 817->820 858 a59652-a59655 820->858 859 a59658-a59683 GetModuleHandleW 820->859 821->822 824 a594d1-a594d6 822->824 825 a594f3-a594f5 822->825 827 a594e1 824->827 828 a594d8-a594df call a58748 824->828 826 a594f8-a594ff 825->826 829 a59501-a59509 826->829 830 a5950c-a59513 826->830 833 a594e3-a594f1 827->833 828->833 829->830 834 a59515-a5951d 830->834 835 a59520-a59529 call a58758 830->835 833->826 834->835 840 a59536-a5953b 835->840 841 a5952b-a59533 835->841 843 a5953d-a59544 840->843 844 a59559-a5955d 840->844 841->840 843->844 845 a59546-a59556 call a58768 call a58778 843->845 866 a59560 call a59990 844->866 867 a59560 call a599c0 844->867 845->844 847 a59563-a59566 850 a59589-a5958f 847->850 851 a59568-a59586 847->851 851->850 858->859 860 a59685-a5968b 859->860 861 a5968c-a596a0 859->861 860->861 863->817 864->817 865->817 866->847 867->847
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00A59676
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.408490405.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_a50000_vlc.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 2feccbc6d90d11737f100eabecc587ffedb9df3d95471e43c0193b7b844e85da
                                                            • Instruction ID: c4af53368643e87933d529cbdf249ba442ab7126dead78a34c47f49fbf0e959e
                                                            • Opcode Fuzzy Hash: 2feccbc6d90d11737f100eabecc587ffedb9df3d95471e43c0193b7b844e85da
                                                            • Instruction Fuzzy Hash: E0712370A00B058FD724DF2AD14175BBBF5BF88305F108929E85ADBA50EB79E9098B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00A5DE40, Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 868 a5de40-a5de4f 870 a5de51-a5debd 868->870 876 a5debf-a5ded3 870->876
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00A5FEAA
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.408490405.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_a50000_vlc.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: 46ce552fa6532ad36df0ce59012cec300b15af083240dfb5b47bd9c1422c2df1
                                                            • Instruction ID: 035eb96c09d2f436d205c7bd99c5121e83473da671ca6e1c33f3948b7717ce5d
                                                            • Opcode Fuzzy Hash: 46ce552fa6532ad36df0ce59012cec300b15af083240dfb5b47bd9c1422c2df1
                                                            • Instruction Fuzzy Hash: 205136B1D043499FDB11CFA9D880ADEBFB5FF49314F24812AE809AB251D7749886CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06984565, Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 877 6984565-69845d7 879 69845d9-69845fe 877->879 880 6984646-698464a 877->880 887 698462e-6984633 879->887 888 6984600-6984602 879->888 881 698464c-698468a 880->881 882 698468e-69846cc GetUserNameA 880->882 881->882 883 69846ce-69846d4 882->883 884 69846d5-69846f2 882->884 883->884 897 6984708-698472f 884->897 898 69846f4-6984700 884->898 895 6984635-6984641 887->895 889 6984624-698462c 888->889 890 6984604-698460e 888->890 889->895 893 6984610 890->893 894 6984612-6984620 890->894 893->894 894->894 900 6984622 894->900 895->880 902 698473f 897->902 903 6984731-6984735 897->903 898->897 900->889 908 6984740 902->908 903->902 906 6984737 903->906 906->902 908->908
                                                            APIs
                                                            • GetUserNameA.ADVAPI32(00000000), ref: 069846BC
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.431877491.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6980000_vlc.jbxd
                                                            Similarity
                                                            • API ID: NameUser
                                                            • String ID:
                                                            • API String ID: 2645101109-0
                                                            • Opcode ID: ae988a44e756d5d15707e989c2600ce1cd5e550b394f724bbd7045ed3806256b
                                                            • Instruction ID: 60ce2eb1ab95be4675c394c218fa870d5e5d5ee5a89a42b1eb5a5736ffe03c60
                                                            • Opcode Fuzzy Hash: ae988a44e756d5d15707e989c2600ce1cd5e550b394f724bbd7045ed3806256b
                                                            • Instruction Fuzzy Hash: F3516670D002598FDB14DFA9C894BDEBBF5BF48704F248029E816AB790DB789945CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06984570, Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 909 6984570-69845d7 911 69845d9-69845fe 909->911 912 6984646-698464a 909->912 919 698462e-6984633 911->919 920 6984600-6984602 911->920 913 698464c-698468a 912->913 914 698468e-69846cc GetUserNameA 912->914 913->914 915 69846ce-69846d4 914->915 916 69846d5-69846f2 914->916 915->916 929 6984708-698472f 916->929 930 69846f4-6984700 916->930 927 6984635-6984641 919->927 921 6984624-698462c 920->921 922 6984604-698460e 920->922 921->927 925 6984610 922->925 926 6984612-6984620 922->926 925->926 926->926 932 6984622 926->932 927->912 934 698473f 929->934 935 6984731-6984735 929->935 930->929 932->921 940 6984740 934->940 935->934 938 6984737 935->938 938->934 940->940
                                                            APIs
                                                            • GetUserNameA.ADVAPI32(00000000), ref: 069846BC
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.431877491.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6980000_vlc.jbxd
                                                            Similarity
                                                            • API ID: NameUser
                                                            • String ID:
                                                            • API String ID: 2645101109-0
                                                            • Opcode ID: 9a1903ed2b8b5cc0d36694340fb73a0e5d817ae7c3e7f8adb2abd4d2d527986a
                                                            • Instruction ID: 4c0c8fed4611d3816d924d35443917b1152cc25bf53e2c93e4fbeaffa54dd950
                                                            • Opcode Fuzzy Hash: 9a1903ed2b8b5cc0d36694340fb73a0e5d817ae7c3e7f8adb2abd4d2d527986a
                                                            • Instruction Fuzzy Hash: 6F514570D002598FDB14DFA9C894BDEBBF5BF48704F248029D81AAB790DB789845CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00A5DE5C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 941 a5de5c-a5fdfe 943 a5fe00-a5fe06 941->943 944 a5fe09-a5fe10 941->944 943->944 945 a5fe12-a5fe18 944->945 946 a5fe1b-a5feba CreateWindowExW 944->946 945->946 948 a5fec3-a5fefb 946->948 949 a5febc-a5fec2 946->949 953 a5fefd-a5ff00 948->953 954 a5ff08 948->954 949->948 953->954 955 a5ff09 954->955 955->955
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00A5FEAA
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.408490405.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_a50000_vlc.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: 2cdd5a2e356f4658d3321cc921713a850f9fb4cb9f74ccc29b6238fa112b8601
                                                            • Instruction ID: 9eeb22b09d8886729fe1cf1eec42dbe3accb9afacbcc3733766732b0e1b21529
                                                            • Opcode Fuzzy Hash: 2cdd5a2e356f4658d3321cc921713a850f9fb4cb9f74ccc29b6238fa112b8601
                                                            • Instruction Fuzzy Hash: 1E51C0B1D00348DFDF14CF99D885ADEBBB5BF48314F24812AE819AB251D7759849CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00A5FD8C, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00A5FEAA
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.408490405.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_a50000_vlc.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: d541f358483a9f73a0b33ed31a2fc4c032541c168f1419c255dc95d687936c3b
                                                            • Instruction ID: 6dbf89002d824ca4b2ad8cab3786492c533c9d2813f2e34d52bdc82b15a98c22
                                                            • Opcode Fuzzy Hash: d541f358483a9f73a0b33ed31a2fc4c032541c168f1419c255dc95d687936c3b
                                                            • Instruction Fuzzy Hash: BE51E0B1D003489FDB14CFA9D884ADEFFB5BF88314F24812AE819AB211D7759845CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00A55394, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 00A55451
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.408490405.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_a50000_vlc.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: a0ea3917ab97e590023c2fd83e8c0098a60340b1aa3ad80fae6cd12c39d1c805
                                                            • Instruction ID: 74a620dcd958d2604b6828e7adf2f5b4afe63b3b83115a3b3683dddf50532492
                                                            • Opcode Fuzzy Hash: a0ea3917ab97e590023c2fd83e8c0098a60340b1aa3ad80fae6cd12c39d1c805
                                                            • Instruction Fuzzy Hash: 2E41E471D04618CFDB24CFA9C984BDEBBF1BF49309F25805AD408AB251DB796949CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00A53E40, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 00A55451
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.408490405.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_a50000_vlc.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 538dd93597a6f1b2a1818c38fb3abd818bea62ffd0cc192aef0f327c375790e8
                                                            • Instruction ID: e6ab70f8d579ebe297dea95dfb8b85d9114161035449adf813d482115d2d5d9c
                                                            • Opcode Fuzzy Hash: 538dd93597a6f1b2a1818c38fb3abd818bea62ffd0cc192aef0f327c375790e8
                                                            • Instruction Fuzzy Hash: DA410270D0461CCBDB24CFA9C884B9EBBF1BF49309F258059D408BB251DBB96949CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06982580, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06982610
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.431877491.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6980000_vlc.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: be082cedba6c615b628be70736b4611136ff8d89ffaf3996c0f0bf8c6ac23a04
                                                            • Instruction ID: 8e5a52301c748ca42c9fd07f02f3e3aa07d32978631d536ef2a6a334ccd40798
                                                            • Opcode Fuzzy Hash: be082cedba6c615b628be70736b4611136ff8d89ffaf3996c0f0bf8c6ac23a04
                                                            • Instruction Fuzzy Hash: 1B212771D003499FCB10DFA9D884BEEBBF5FF48314F14842AE919A7640DB789944CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0698257A, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06982610
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.431877491.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6980000_vlc.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 4382c0b18568ad3239a5d53d5ea3243e5f66f946d51f5d104d62534230e9046d
                                                            • Instruction ID: 1560c29d581fb5298a6c2b1ae3a17fb204aefabfae99f1c82136c2518b2d8b27
                                                            • Opcode Fuzzy Hash: 4382c0b18568ad3239a5d53d5ea3243e5f66f946d51f5d104d62534230e9046d
                                                            • Instruction Fuzzy Hash: A5212472D003499FCB10DFA9D8807EEBBF5FF48354F14842AE919A7640DB789A54CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00A5A154, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00A5B91E,?,?,?,?,?), ref: 00A5B9DF
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.408490405.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_a50000_vlc.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 67814a2728750e8769191631a2e726192ff579758d57338e193b33f731611c71
                                                            • Instruction ID: 5caec6bde8ed69414fdcb14c3edba058541873fe0780defb8cf354e382d8625a
                                                            • Opcode Fuzzy Hash: 67814a2728750e8769191631a2e726192ff579758d57338e193b33f731611c71
                                                            • Instruction Fuzzy Hash: 872103B5900248DFDB10CFA9D884AEEBBF8FB48325F14801AE914B3310D778A944CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06982669, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 069826F0
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.431877491.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6980000_vlc.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: b283e30a84604dc806b1dc1c48449fc35086cc527df49037fd730b404148ac2b
                                                            • Instruction ID: c996166767164f8066b0de544a4cb611deffbee448516f7fc89b224e5064b57d
                                                            • Opcode Fuzzy Hash: b283e30a84604dc806b1dc1c48449fc35086cc527df49037fd730b404148ac2b
                                                            • Instruction Fuzzy Hash: 6E2145B1D042499FCF10DFAAD880BEEBBF4FF48314F14842AE519A7640DB799905CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06982670, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 069826F0
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.431877491.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6980000_vlc.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: 5f850cb9f094ea2cd00e97c754152c572d7b0abed9ec6dcf9c8a8ef4c10255dc
                                                            • Instruction ID: ab0c1b6f3efecf0c9ddb148e2acdb71bed1210c58266dfda3c809924f679e7be
                                                            • Opcode Fuzzy Hash: 5f850cb9f094ea2cd00e97c754152c572d7b0abed9ec6dcf9c8a8ef4c10255dc
                                                            • Instruction Fuzzy Hash: 74211471D042499FCB10DFAAD880AEEBBF5FF48314F14842AE519A7640DB789944CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 069823E8, Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetThreadContext.KERNELBASE(?,00000000), ref: 06982466
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.431877491.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6980000_vlc.jbxd
                                                            Similarity
                                                            • API ID: ContextThread
                                                            • String ID:
                                                            • API String ID: 1591575202-0
                                                            • Opcode ID: 831a4bd9889c784b5105db2bc438a3052da3e3c5891ab65302de54801f6367aa
                                                            • Instruction ID: 2a6b3e60c7359d62bb306b01891bf70ca6abace907a07b7ce37d540532005201
                                                            • Opcode Fuzzy Hash: 831a4bd9889c784b5105db2bc438a3052da3e3c5891ab65302de54801f6367aa
                                                            • Instruction Fuzzy Hash: AA214971D043088FCB10DFAAD4847EEBBF4EF88354F148429D519A7640DB789A48CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00A5B953, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00A5B91E,?,?,?,?,?), ref: 00A5B9DF
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.408490405.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_a50000_vlc.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: d3bd84e22e3c0d52fa664f5112737690aecf05b237575a61fcb3b818cbeadf83
                                                            • Instruction ID: 0ccd9b9bccf0ec9277ca6c86265ac4fea69dab75f315f007d24d228b6910bd8f
                                                            • Opcode Fuzzy Hash: d3bd84e22e3c0d52fa664f5112737690aecf05b237575a61fcb3b818cbeadf83
                                                            • Instruction Fuzzy Hash: 1121E4B5D00248DFDB10CFA9D984AEEBBF4FB48324F14801AE914A7310D778A944CF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00A587A0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A596F1,00000800,00000000,00000000), ref: 00A59902
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.408490405.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_a50000_vlc.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: abcc21344b50a649630a2a68607163a1b581cffc41701c901127b02229b5a578
                                                            • Instruction ID: a8a3d57f21ba05a7c6d1fd0e485fb8b5ba2d410d08865581fcf0fa89dabf623f
                                                            • Opcode Fuzzy Hash: abcc21344b50a649630a2a68607163a1b581cffc41701c901127b02229b5a578
                                                            • Instruction Fuzzy Hash: 8D1103B2D04249DFDB10CF9AD444AEEBBF4FB48355F10842EE819A7610C779A949CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 069824B8, Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0698252E
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.431877491.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6980000_vlc.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 5e8cc60f311e018210c86523b948e76deff164fc7b4779fb9f9f3019df9e4902
                                                            • Instruction ID: 3493ee62e627f6b20c969eb96d3c860f32c24b69a305fa8b25c83fb00b4efb16
                                                            • Opcode Fuzzy Hash: 5e8cc60f311e018210c86523b948e76deff164fc7b4779fb9f9f3019df9e4902
                                                            • Instruction Fuzzy Hash: 1F1197729043488FCF10DFA9E8447EEBBF6AB48314F248819E515A7650CB399A04CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 069824C0, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0698252E
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.431877491.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6980000_vlc.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: c7632f7d4494b4078fa60090d0e9e75348b0e1e29a6046f6606023373768e7cd
                                                            • Instruction ID: 17879cb43447ca6c83b7cf97cd4b7075a2efd2b5e9f1725051bf9433bf1680e4
                                                            • Opcode Fuzzy Hash: c7632f7d4494b4078fa60090d0e9e75348b0e1e29a6046f6606023373768e7cd
                                                            • Instruction Fuzzy Hash: 471137729043489FCB10DFA9D844BEFBBF5AF48324F248419E515A7650CB799944CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00A59891, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A596F1,00000800,00000000,00000000), ref: 00A59902
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.408490405.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_a50000_vlc.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: ae3c6c619cb2abf27b1973f5eff9e11e32cf8da555d3f7ab7817c70e4c4091e5
                                                            • Instruction ID: 2c45f58a2f7ad018fa3075a3c3dee434f72727fa18fce63054415f8a6e87fac3
                                                            • Opcode Fuzzy Hash: ae3c6c619cb2abf27b1973f5eff9e11e32cf8da555d3f7ab7817c70e4c4091e5
                                                            • Instruction Fuzzy Hash: 8D1103B2900249CFCB10CF9AD484ADEFBF4FB48314F14842ED829A7600C779A549CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06982330, Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.431877491.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6980000_vlc.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: b6b1fe67da6983e464370494b1ee5dd8e051c179dff166195b13dab4a88e56d0
                                                            • Instruction ID: 8d2cc6fab85594a29f6acdcadae61ceea143f12d6d25ec0865dd687f948cc3e0
                                                            • Opcode Fuzzy Hash: b6b1fe67da6983e464370494b1ee5dd8e051c179dff166195b13dab4a88e56d0
                                                            • Instruction Fuzzy Hash: A7116AB1D046488FCB10DFA9E8447EEFBF5AF48318F25841AD519B7640CB79A948CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06982338, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.431877491.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6980000_vlc.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: c02ef3c7ba4e0bc08e104823b2581390f83f1b82d4ff5ad03cc96ee4e6a85284
                                                            • Instruction ID: 1360cae684921de6b8ddcf14cba5ee70bc4dfe6b7cebcc4382728348defe85a6
                                                            • Opcode Fuzzy Hash: c02ef3c7ba4e0bc08e104823b2581390f83f1b82d4ff5ad03cc96ee4e6a85284
                                                            • Instruction Fuzzy Hash: 86113A71D043488FCB10DFAAD8447EEFBF4AB88224F24841AD519B7640CB79A944CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00A59610, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00A59676
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.408490405.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_a50000_vlc.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 5afd9c25edad7927f0f48ec469e42a76e106c7f8568bd90e10dce7d5d468d231
                                                            • Instruction ID: a98708bda41c831a85b8ef0fe0dc19c090e4be110e79a641c4f36755009ebf38
                                                            • Opcode Fuzzy Hash: 5afd9c25edad7927f0f48ec469e42a76e106c7f8568bd90e10dce7d5d468d231
                                                            • Instruction Fuzzy Hash: 3D1113B1C006498FCB10CF9AD444BDEFBF4BB88324F10841AD819B7600C379A549CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 009FD4C4, Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.408112378.00000000009FD000.00000040.00000001.sdmp, Offset: 009FD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_9fd000_vlc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b84de04404d9ad11a25b6ea69288a4158f258f82458e2695f78948478150c33d
                                                            • Instruction ID: 318b27b2daeb23a0f3c756e32828ff79efbe59dd6065cead549ca1f5336a75b7
                                                            • Opcode Fuzzy Hash: b84de04404d9ad11a25b6ea69288a4158f258f82458e2695f78948478150c33d
                                                            • Instruction Fuzzy Hash: BB212871504248DFDB01DF14D8C0B36BF6AFB88328F24C569FA050B64AC336D856D7A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00A0D1D4, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.408199505.0000000000A0D000.00000040.00000001.sdmp, Offset: 00A0D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_a0d000_vlc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 176878514f1a5c1ded4a554577f877d67ff53bb23bdbde3f5d87ae88cebe8704
                                                            • Instruction ID: 2a23ece210446f4c8c9fc0762e893e790822053ba2524a144dc20a425786e825
                                                            • Opcode Fuzzy Hash: 176878514f1a5c1ded4a554577f877d67ff53bb23bdbde3f5d87ae88cebe8704
                                                            • Instruction Fuzzy Hash: DF213772504208EFCB00DF94E9C0B66BBA5FB88314F20C96DE8094B286C736D806CA61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00A0D01C, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.408199505.0000000000A0D000.00000040.00000001.sdmp, Offset: 00A0D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_a0d000_vlc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 658bbf199ec069a7e26837cef312f7a614588460b1504c2183622603dc5990c0
                                                            • Instruction ID: 86ad0a2b729876be4d4f529c75a40beb0744c8080923e032790d0e61dc695b9b
                                                            • Opcode Fuzzy Hash: 658bbf199ec069a7e26837cef312f7a614588460b1504c2183622603dc5990c0
                                                            • Instruction Fuzzy Hash: 0D21F572604248DFDB14DF54E8C0B26BBA5FB84314F24C969E80E4B686C737D847CA61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00A0D006, Relevance: .1, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.408199505.0000000000A0D000.00000040.00000001.sdmp, Offset: 00A0D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_a0d000_vlc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e435b0ffc6beafc7bb401a218648201d9c4829f6ceb627bc5fec4ff71a215afc
                                                            • Instruction ID: 6035eae4f932e2fad7b42433ac930ddd02758de394fbb552b0608cc0542f7061
                                                            • Opcode Fuzzy Hash: e435b0ffc6beafc7bb401a218648201d9c4829f6ceb627bc5fec4ff71a215afc
                                                            • Instruction Fuzzy Hash: DE21A1765093C48FCB02CF24E990B15BF71EB46314F28C5DAD8498B697C33AD81ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 009FD4BF, Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.408112378.00000000009FD000.00000040.00000001.sdmp, Offset: 009FD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_9fd000_vlc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b0b404d9eecf1aa7ef9aea8b33e7c2e64b2c905fd441304741711280b6bf8a9a
                                                            • Instruction ID: 9aa055704f615df4fe159e221c366a33bee4e6eb1a0ce09392af979605245c5b
                                                            • Opcode Fuzzy Hash: b0b404d9eecf1aa7ef9aea8b33e7c2e64b2c905fd441304741711280b6bf8a9a
                                                            • Instruction Fuzzy Hash: 8511E676404284CFCF11CF14D5C4B26BF72FB94324F24C6A9E9450B65AC336D85ACBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00A0D1CF, Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.408199505.0000000000A0D000.00000040.00000001.sdmp, Offset: 00A0D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_a0d000_vlc.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c40815aa96ad224e52f0cfc49c91d5d461766df6e79e458980e1d5915392af9a
                                                            • Instruction ID: 8dd867df44ede8516f6d902ecfc9016b5e64dcb0b6088a2a89f646f994377546
                                                            • Opcode Fuzzy Hash: c40815aa96ad224e52f0cfc49c91d5d461766df6e79e458980e1d5915392af9a
                                                            • Instruction Fuzzy Hash: 6011DD76904284DFCB01CF54E5C0B55FBB1FB88324F28C6ADD8494B696C33AD85ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions