Play interactive tour

Edit tour

Analysis Report Shipping-Document.com

Overview

General Information

Sample Name:	Shipping-Document.com (renamed file extension from com to exe)
Analysis ID:	321421
MD5:	47f1684c0075aea74bb225586d55b6e3
SHA1:	7198622c341f1f6982eb20ac7a431508289df924
SHA256:	58ba104e01f9650518e256c03102a8105428e761988ce5905de77cd45a53ad90
Most interesting Screenshot:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected MassLogger RAT

.NET source code references suspicious native API functions

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

May check the online IP address of the machine

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

Shipping-Document.exe (PID: 1364 cmdline: 'C:\Users\user\Desktop\Shipping-Document.exe' MD5: 47F1684C0075AEA74BB225586D55B6E3)

Shipping-Document.exe (PID: 3420 cmdline: C:\Users\user\Desktop\Shipping-Document.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)

Shipping-Document.exe (PID: 1488 cmdline: C:\Users\user\Desktop\Shipping-Document.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)

vlc.exe (PID: 1748 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: 47F1684C0075AEA74BB225586D55B6E3)

vlc.exe (PID: 2792 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)

vlc.exe (PID: 6052 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)

vlc.exe (PID: 1872 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)

vlc.exe (PID: 4472 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)

vlc.exe (PID: 5352 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)

vlc.exe (PID: 1256 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)

vlc.exe (PID: 3440 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: 47F1684C0075AEA74BB225586D55B6E3)

vlc.exe (PID: 1012 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)

vlc.exe (PID: 4832 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)

vlc.exe (PID: 484 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 47F1684C0075AEA74BB225586D55B6E3)

cleanup

Malware Configuration

Threatname: MassLogger

{"Config: ": ["00000000 -> <|| v2.4.0.0 ||>", "User Name: user", "IP: 84.17.52.25", "Location: United States", "Windows OS: Microsoft Windows 10 Pro 64bit", "Windows Serial Key: VG7NF-BJ77Y-WRF7X-GJVW7-H3M8T", "CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "GPU: Microsoft Basic Display Adapter", "AV: Windows Defender", "Screen Resolution: 1280x1024", "Current Time: 11/21/2020 10:23:00 PM", "MassLogger Started: 11/21/2020 10:22:56 PM", "Interval: 2 hour", "MassLogger Process: C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe", "MassLogger Melt: false", "MassLogger Exit after delivery: false", "As Administrator: True", "Processes:", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "<|| WD Exclusion ||>", "Disabled", "<|| Binder ||>", "Disabled", "<|| Downloader ||>", "Disabled", "<|| Window Searcher ||>", "Disabled", "<|| Bot Killer ||>", "Disabled", "<|| Search And Upload ||>", "Disabled", "<|| Telegram Desktop ||>", "Not Installed", "<|| Pidgin ||>", "Not Installed", "<|| FileZilla ||>", "Not Installed", "<|| Discord Tokken ||>", "Not Installed", "<|| NordVPN ||>", "Not Installed", "<|| Outlook ||>", "Not Installed", "<|| FoxMail ||>", "Not Installed", "<|| Thunderbird ||>", "Not Installed", "<|| FireFox ||>", "Not Installed", "<|| QQ Browser ||>", "Not Installed", "<|| Chromium Recovery ||>", "Not Installed or Not Found", "<|| Keylogger And Clipboard ||>", "NA"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.292894367.0000000003997000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000016.00000002.474961619.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000C.00000003.392005702.00000000048A0000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000E.00000003.401816626.00000000040ED000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.474947911.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000001A.00000002.475038821.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000C.00000002.399837462.0000000004325000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000C.00000003.380082858.00000000048A0000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000003.285012492.0000000003F10000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000E.00000002.411380915.0000000003515000.00000004.00000001.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Shipping-Document.exe PID: 1488	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Shipping-Document.exe PID: 1488	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Shipping-Document.exe PID: 1488	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vlc.exe PID: 3440	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: vlc.exe PID: 3440	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Shipping-Document.exe PID: 1364	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Shipping-Document.exe PID: 1364	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: vlc.exe PID: 1748	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: vlc.exe PID: 1748	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: vlc.exe PID: 1256	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: vlc.exe PID: 1256	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: vlc.exe PID: 1256	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vlc.exe PID: 484	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: vlc.exe PID: 484	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: vlc.exe PID: 484	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author
26.2.vlc.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.Shipping-Document.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
22.2.vlc.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: Log.txt.26.dr.binstr

Malware Configuration Extractor: MassLogger {"Config: ": ["00000000 -> <|| v2.4.0.0 ||>", "User Name: user", "IP: 84.17.52.25", "Location: United States", "Windows OS: Microsoft Windows 10 Pro 64bit", "Windows Serial Key: VG7NF-BJ77Y-WRF7X-GJVW7-H3M8T", "CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "GPU: Microsoft Basic Display Adapter", "AV: Windows Defender", "Screen Resolution: 1280x1024", "Current Time: 11/21/2020 10:23:00 PM", "MassLogger Started: 11/21/2020 10:22:56 PM", "Interval: 2 hour", "MassLogger Process: C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe", "MassLogger Melt: false", "MassLogger Exit after delivery: false", "As Administrator: True", "Processes:", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome", "<|| WD Exclusion ||>", "Disabled", "<|| Binder ||>", "Disabled", "<|| Downloader ||>", "Disabled", "<|| Window Searcher ||>", "Disabled", "<|| Bot Killer ||>", "Disabled", "<|| Search And Upload ||>", "Disabled", "<|| Telegram Desktop ||>", "Not Installed", "<|| Pidgin ||>", "Not Installed", "<|| FileZilla ||>", "Not Installed", "<|| Discord Tokken ||>", "Not Installed", "<|| NordVPN ||>", "Not Installed", "<|| Outlook ||>", "Not Installed", "<|| FoxMail ||>", "Not Installed", "<|| Thunderbird ||>", "Not Installed", "<|| FireFox ||>", "Not Installed", "<|| QQ Browser ||>", "Not Installed", "<|| Chromium Recovery ||>", "Not Installed or Not Found", "<|| Keylogger And Clipboard ||>", "NA"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Virustotal: Detection: 20%			Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	ReversingLabs: Detection: 20%

Multi AV Scanner detection for submitted file

Show sources

Source: Shipping-Document.exe	Virustotal: Detection: 20%			Perma Link
Source: Shipping-Document.exe	ReversingLabs: Detection: 20%

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\

Networking:

May check the online IP address of the machine

Show sources

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 54.243.164.148 54.243.164.148
Source: Joe Sandbox View	IP Address: 54.243.164.148 54.243.164.148
Source: Joe Sandbox View	IP Address: 54.235.142.93 54.235.142.93
Source: Joe Sandbox View	IP Address: 54.235.142.93 54.235.142.93

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive

Source: Shipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp

String found in binary or memory: fUsage: https://www.youtube.com/watch?v=Qxk6cu21JSg equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: Shipping-Document.exe, 00000005.00000002.485116357.0000000002FB4000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org
Source: Shipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org/
Source: Shipping-Document.exe, 00000005.00000002.484657984.0000000002EDA000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.485932807.0000000002D0F000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.485514489.0000000003130000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org/P
Source: Shipping-Document.exe, 00000005.00000002.484657984.0000000002EDA000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.485932807.0000000002D0F000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.485514489.0000000003130000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org/p
Source: Shipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.orgD
Source: vlc.exe, 0000001A.00000002.485514489.0000000003130000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify8
Source: vlc.exe, 00000016.00000002.486012293.0000000002D1B000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify8R
Source: Shipping-Document.exe, 00000005.00000002.485070930.0000000002FAF000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify8v
Source: Shipping-Document.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: Shipping-Document.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: Shipping-Document.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Shipping-Document.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Shipping-Document.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Shipping-Document.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: Shipping-Document.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Shipping-Document.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Shipping-Document.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Shipping-Document.exe	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: Shipping-Document.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Shipping-Document.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Shipping-Document.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: Shipping-Document.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Shipping-Document.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Shipping-Document.exe	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: Shipping-Document.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Shipping-Document.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Shipping-Document.exe, 00000005.00000002.485116357.0000000002FB4000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.486045579.0000000002D20000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.485599592.0000000003142000.00000004.00000001.sdmp	String found in binary or memory: http://elb097307-934924932.us-east-1.elb.amazonaws.com
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Shipping-Document.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Shipping-Document.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Shipping-Document.exe	String found in binary or memory: http://ocsp.digicert.com0L
Source: Shipping-Document.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: Shipping-Document.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: Shipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: vlc.exe, 0000001A.00000002.488438717.0000000004091000.00000004.00000001.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: Shipping-Document.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Shipping-Document.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: Shipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/watch?v=Qxk6cu21JSg

System Summary:

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Shipping-Document.exe

Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 0_2_0278C1B4
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 0_2_0278E610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 0_2_0278E600
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 3_2_003F4667
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 5_2_00994667
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 5_2_05270790
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 5_2_05270507
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 5_2_05270518
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 5_2_052760FB
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 5_2_06970818
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 5_2_06976561
Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 5_2_06976568
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 12_2_00BE4667
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 12_2_0176C1B4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 12_2_0176E610
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 12_2_0176E600
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 12_2_08A454C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 14_2_000B4667
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 14_2_00A5C1B4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 14_2_00A5E600
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 14_2_00A5E610
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 14_2_069854C8

Source: Shipping-Document.exe

Static PE information: invalid certificate

Source: Shipping-Document.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vlc.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Shipping-Document.exe, 00000000.00000002.293468023.0000000003B77000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClassLibrary3.dll< vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000000.00000002.290016295.00000000029B9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename" vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000000.00000002.292894367.0000000003997000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameEeyxsdnaklophm.dll4 vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000000.00000002.288880734.00000000005C2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUlzzwremyvkd6.exe< vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000000.00000002.298541463.0000000006FD0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000003.00000002.283415905.0000000000562000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUlzzwremyvkd6.exe< vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000005.00000000.284472154.0000000000B02000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUlzzwremyvkd6.exe< vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000005.00000002.489874672.0000000005310000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000005.00000002.488191884.0000000003DE1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIonic.Zip.dllD vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000005.00000002.474947911.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilename" vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000005.00000002.479489682.0000000000EF4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000005.00000002.492785493.0000000006090000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Shipping-Document.exe
Source: Shipping-Document.exe, 00000005.00000002.494723433.0000000006E40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Shipping-Document.exe
Source: Shipping-Document.exe	Binary or memory string: OriginalFilenameUlzzwremyvkd6.exe< vs Shipping-Document.exe

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@25/10@7/3

Source: C:\Users\user\Desktop\Shipping-Document.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN

Jump to behavior

Source: C:\Users\user\Desktop\Shipping-Document.exe

File created: C:\Users\user\AppData\Local\Temp\DotNetZip-fu3v0fes.tmp

Jump to behavior

Source: Shipping-Document.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Shipping-Document.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Shipping-Document.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\Shipping-Document.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR

Source: C:\Users\user\Desktop\Shipping-Document.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Shipping-Document.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Shipping-Document.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Shipping-Document.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Shipping-Document.exe	Virustotal: Detection: 20%
Source: Shipping-Document.exe	ReversingLabs: Detection: 20%

Source: C:\Users\user\Desktop\Shipping-Document.exe

File read: C:\Users\user\Desktop\Shipping-Document.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Shipping-Document.exe 'C:\Users\user\Desktop\Shipping-Document.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Shipping-Document.exe C:\Users\user\Desktop\Shipping-Document.exe
Source: unknown	Process created: C:\Users\user\Desktop\Shipping-Document.exe C:\Users\user\Desktop\Shipping-Document.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process created: C:\Users\user\Desktop\Shipping-Document.exe C:\Users\user\Desktop\Shipping-Document.exe
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process created: C:\Users\user\Desktop\Shipping-Document.exe C:\Users\user\Desktop\Shipping-Document.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe

Source: C:\Users\user\Desktop\Shipping-Document.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Shipping-Document.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\Shipping-Document.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Shipping-Document.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Shipping-Document.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Shipping-Document.exe

Static file information: File size 1631688 > 1048576

Source: Shipping-Document.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x16ec00

Source: Shipping-Document.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb source: Shipping-Document.exe, 00000005.00000002.488191884.0000000003DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.488378125.0000000003B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.488438717.0000000004091000.00000004.00000001.sdmp
Source:	Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb$# source: Shipping-Document.exe, 00000005.00000002.488191884.0000000003DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.488378125.0000000003B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.488438717.0000000004091000.00000004.00000001.sdmp

Data Obfuscation:

Yara detected Costura Assembly Loader

Show sources

Source: Yara match	File source: Process Memory Space: Shipping-Document.exe PID: 1488, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 3440, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping-Document.exe PID: 1364, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 1748, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 1256, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 484, type: MEMORY

Source: C:\Users\user\Desktop\Shipping-Document.exe	Code function: 5_2_05E83121 push ecx; iretd
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 12_2_056C1C34 push 9400005Eh; ret

Source: Shipping-Document.exe, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: Shipping-Document.exe, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: vlc.exe.0.dr, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: vlc.exe.0.dr, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 0.0.Shipping-Document.exe.450000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 0.0.Shipping-Document.exe.450000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 0.2.Shipping-Document.exe.450000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 0.2.Shipping-Document.exe.450000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 3.2.Shipping-Document.exe.3f0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 3.2.Shipping-Document.exe.3f0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 3.0.Shipping-Document.exe.3f0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 3.0.Shipping-Document.exe.3f0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 5.0.Shipping-Document.exe.990000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 5.0.Shipping-Document.exe.990000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 5.2.Shipping-Document.exe.990000.1.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 5.2.Shipping-Document.exe.990000.1.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 12.2.vlc.exe.be0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 12.2.vlc.exe.be0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 12.0.vlc.exe.be0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 12.0.vlc.exe.be0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 14.0.vlc.exe.b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 14.0.vlc.exe.b0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 14.2.vlc.exe.b0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 14.2.vlc.exe.b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 17.2.vlc.exe.4b0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 17.2.vlc.exe.4b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 17.0.vlc.exe.4b0000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 17.0.vlc.exe.4b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 18.0.vlc.exe.230000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 18.0.vlc.exe.230000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 18.2.vlc.exe.230000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 18.2.vlc.exe.230000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 19.0.vlc.exe.90000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 19.0.vlc.exe.90000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 19.2.vlc.exe.90000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 19.2.vlc.exe.90000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 20.2.vlc.exe.190000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 20.2.vlc.exe.190000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'
Source: 20.0.vlc.exe.190000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	High entropy of concatenated method names: 'FW7nVgAbH', 'xwdKBQPgt', 'zEduoirWU', 'IrgANIu18', 'PRGffQ9AR', 'r2UtKKWYh', 'EaY3dNjU5', 'X1JW1Hd12', '.ctor', 'VMmMgtrPw'
Source: 20.0.vlc.exe.190000.0.unpack, WstHBVgG0NBqQWrFPh/HH9IqwrjyRGGR3Lw3Z.cs	High entropy of concatenated method names: '.ctor', 'HH9rIqwjy', 'Dispose', 'wGGgR3Lw3', 'q0QYk7yp22XHr0rIkj', 'OnnkTqOhMKsFRFDhJW', 'Q7x0MnYyUAQRwLmZVe', 'K29tKk7mUs7qVSeYxK', 'IiFHGbCy4f0lL65uUi', 'vsjmkeKORRHjOulBpA'

Source: C:\Users\user\Desktop\Shipping-Document.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Shipping-Document.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN	Jump to behavior
Source: C:\Users\user\Desktop\Shipping-Document.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Shipping-Document.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe\:Zone.Identifier:$DATA	Jump to behavior

Source: C:\Users\user\Desktop\Shipping-Document.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlc			Jump to behavior
Source: C:\Users\user\Desktop\Shipping-Document.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlc			Jump to behavior

Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\Shipping-Document.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Shipping-Document.exe, 00000000.00000002.289910761.0000000002941000.00000004.00000001.sdmp, Shipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 0000000C.00000002.396712522.00000000032D1000.00000004.00000001.sdmp, vlc.exe, 0000000E.00000002.409364765.00000000024E1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7200000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7199860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7199750
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7199610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7199500
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7199407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7199313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7199157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7199063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7198907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7198813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7198703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7198610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7198500
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7198360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7198250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7198157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7198063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7197953
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7197813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7197703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7197610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7197500
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7197407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7197313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7197157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7197063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7196953
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7196860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7196750
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7196610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7196500
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7196407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7196313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7196157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7196000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7195907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7195813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7195703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7195563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7195453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7195360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7195250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7195110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7195000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7194907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7194813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7194703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7194563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7194453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7194360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7194203
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7194110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7193860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7193703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7193610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7193516
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7193360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7193250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7192860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7192750
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7192657
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7192563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7192407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7192000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7191907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7191813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7191657
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7191563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7191453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7191360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7191250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7191110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7191016
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7190907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7190813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7190703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7190563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7190453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7190360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7190250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7190110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7190016
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7189907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7189813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7189703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7189563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7189453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7189360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7189250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7189157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7189063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7188907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7188813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7188703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7188610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7188516
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7188360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7188250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7188157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7188063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7187953
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7187813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7187703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7187610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7187500
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7187407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7187266
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7187157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7187063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7186953
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7186860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7186750
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7186610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7186500
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7186407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7186313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7186203
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7186063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7185953
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7185860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7185766
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7185657
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7185563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7185407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7185313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7185203
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7185110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7185000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7184860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7184750
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7184657
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7184563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7184453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7184313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7184203
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7184110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7184000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7183907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7183813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7183657
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7183563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7183453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7183360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7183250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7183110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7183000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7182907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7182813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7182703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7182563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7182453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7182360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7182250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7182157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7182063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7181907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7181813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7181703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7181610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7181500
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7181360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7181250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7181157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7181063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7180953
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7180813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7180703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7180610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7180500
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7180407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7180313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7180157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7180063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7179953
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7179860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7179750
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7179610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7179500
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7179407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7179313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7179203
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7179063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7178953
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7178860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7178750
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7178657
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7178563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7178407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7178313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7178203
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7178110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7178000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7177860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7177750
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7177657
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7177563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7177453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7177313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7177203
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7177110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7177000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7176907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7176813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7176657
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7176563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7176360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7176250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7176110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7176000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7175907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7175813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7175703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7175360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7175250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7175157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7175063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7174703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7174610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7174313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7174157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7174063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7173953
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7173813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7173703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7173610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7173500
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7173407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7173313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7173157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7173063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7172953
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7172860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7172750
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7172610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7172500
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7172407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7172313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7172203
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7172063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7171953
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7171860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7171750
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7171657
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7171563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7171407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7171313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7171203
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7171110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7171000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7170860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7170750
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7170657
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7170563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7170453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7170313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7170203
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7170110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7170000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7169907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7169813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7169657
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7169563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7169453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7169360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7169250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7169110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7169000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7168907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7168813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7168703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7168563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7168453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7168360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7168250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7168157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7168000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7167907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7167813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7167703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7167563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7167453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7167360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7167250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7167157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7167063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7166907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7166813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7166703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7166610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7166500
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7166360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7166250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7166157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7166063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7165953
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7165813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7165703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7165610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7165500
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7165407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7165313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7165157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7165063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7164953
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7164860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7164750
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7164610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7164500
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7164407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7164313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7164203
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7164063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7163953
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7163860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7163750
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7163657
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7163563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7163407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7163313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7163203
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7163110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7163000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7162860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7162750
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7162657
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7162563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7162453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7162313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7162203
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7162110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7162000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7161907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7161813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7161657
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7161563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7161453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7161360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7161250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7161110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7161000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7160907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7160813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7160703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7160563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7160453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7160360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7160250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7160157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7160063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7159907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7159813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7159703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7159610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7159500
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7159360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7159250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7159157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7159063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7158953
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7158813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7158703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7158610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7158453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7158313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7158203
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7158110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7158000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7157907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7157813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7157407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7157313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7157157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7157063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7156360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7156250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7156110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7156000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7155907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7155813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7155703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7155563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7155453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7155360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7155250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7155157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7155063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7154907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7154813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7154703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7154610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7154500
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7154360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7154250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7154157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7154063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7153953
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7153813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7153703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7153610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7153500
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7153407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7153313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7153157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7153063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7152953
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7152860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7152750
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7152610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7152500
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7152407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7152313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7152203
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7152063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7151953
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7151860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7151750
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7151657
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7151563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7151407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7151313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7151203
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7151110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7151000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7150860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7150750
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7150657
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7150563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7150453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7150313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7150203
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7150110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7150000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7149907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7149813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7149657
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7149563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7149453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7149360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7149250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7149110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7149000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7148907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7148813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7148703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7148563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7148453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7148360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7148250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7148157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7148063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7147907
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7147813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7147703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7147610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7147500
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7147360
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7147250
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7147157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7147063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7146953
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7146813
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7146703
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7146610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7146500
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7146407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7146313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7146157
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7146063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7145953
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7145860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7145750
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7145610
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7145500
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7145407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7145313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7145203
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7145063
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7144953
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7144860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7144750
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7144657
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7144563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7144407
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7144313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7144203
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7144110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7144000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7143860
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7143750
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7143657
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7143563
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7143453
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7143313
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7143203
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7143110
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7143000
Source: C:\Users\user\Desktop\Shipping-Document.exe	Thread delayed: delay time: 7142907

Source: C:\Users\user\Desktop\Shipping-Document.exe

Window / User API: threadDelayed 409

Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 1956	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7200000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7199860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7199750s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7199610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7199500s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7199407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7199313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7199157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7199063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7198907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7198813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7198703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7198610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7198500s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7198360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7198250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7198157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7198063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7197953s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7197813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7197703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7197610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7197500s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7197407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7197313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7197157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7197063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7196953s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7196860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7196750s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7196610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7196500s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7196407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7196313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7196157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7196000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7195907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7195813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7195703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7195563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7195453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7195360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7195250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7195110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7195000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7194907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7194813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7194703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7194563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7194453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7194360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7194203s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7194110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7193860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7193703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7193610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7193516s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7193360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7193250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7192860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7192750s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7192657s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7192563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7192407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7192000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7191907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7191813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7191657s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7191563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7191453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7191360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7191250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7191110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7191016s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7190907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7190813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7190703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7190563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7190453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7190360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7190250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7190110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7190016s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7189907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7189813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7189703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7189563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7189453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7189360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7189250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7189157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7189063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7188907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7188813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7188703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7188610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7188516s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7188360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7188250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7188157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7188063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7187953s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7187813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7187703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7187610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7187500s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7187407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7187266s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7187157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7187063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7186953s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7186860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7186750s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7186610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7186500s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7186407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7186313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7186203s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7186063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7185953s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7185860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7185766s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7185657s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7185563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7185407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7185313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7185203s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7185110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7185000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7184860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7184750s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7184657s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7184563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7184453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7184313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7184203s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7184110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7184000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7183907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7183813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7183657s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7183563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7183453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7183360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7183250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7183110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7183000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7182907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7182813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7182703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7182563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7182453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7182360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7182250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7182157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7182063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7181907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7181813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7181703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7181610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7181500s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7181360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7181250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7181157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7181063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7180953s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7180813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7180703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7180610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7180500s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7180407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7180313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7180157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7180063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7179953s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7179860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7179750s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7179610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7179500s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7179407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7179313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7179203s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7179063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7178953s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7178860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7178750s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7178657s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7178563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7178407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7178313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7178203s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7178110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7178000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7177860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7177750s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7177657s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7177563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7177453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7177313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7177203s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7177110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7177000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7176907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7176813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7176657s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7176563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7176360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7176250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7176110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7176000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7175907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7175813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7175703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7175360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7175250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7175157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7175063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7174703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7174610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7174313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7174157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7174063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7173953s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7173813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7173703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7173610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7173500s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7173407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7173313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7173157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7173063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7172953s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7172860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7172750s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7172610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7172500s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7172407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7172313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7172203s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7172063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7171953s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7171860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7171750s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7171657s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7171563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7171407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7171313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7171203s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7171110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7171000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7170860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7170750s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7170657s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7170563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7170453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7170313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7170203s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7170110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7170000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7169907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7169813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7169657s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7169563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7169453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7169360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7169250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7169110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7169000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7168907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7168813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7168703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7168563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7168453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7168360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7168250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7168157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7168000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7167907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7167813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7167703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7167563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7167453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7167360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7167250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7167157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7167063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7166907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7166813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7166703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7166610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7166500s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7166360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7166250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7166157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7166063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7165953s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7165813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7165703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7165610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7165500s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7165407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7165313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7165157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7165063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7164953s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7164860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7164750s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7164610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7164500s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7164407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7164313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7164203s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7164063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7163953s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7163860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7163750s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7163657s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7163563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7163407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7163313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7163203s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7163110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7163000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7162860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7162750s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7162657s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7162563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7162453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7162313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7162203s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7162110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7162000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7161907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7161813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7161657s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7161563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7161453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7161360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7161250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7161110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7161000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7160907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7160813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7160703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7160563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7160453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7160360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7160250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7160157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7160063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7159907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7159813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7159703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7159610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7159500s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7159360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7159250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7159157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7159063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7158953s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7158813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7158703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7158610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7158453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7158313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7158203s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7158110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7158000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7157907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7157813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7157407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7157313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7157157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7157063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7156360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7156250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7156110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7156000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7155907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7155813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7155703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7155563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7155453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7155360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7155250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7155157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7155063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7154907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7154813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7154703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7154610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7154500s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7154360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7154250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7154157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7154063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7153953s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7153813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7153703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7153610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7153500s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7153407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7153313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7153157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7153063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7152953s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7152860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7152750s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7152610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7152500s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7152407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7152313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7152203s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7152063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7151953s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7151860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7151750s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7151657s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7151563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7151407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7151313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7151203s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7151110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7151000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7150860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7150750s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7150657s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7150563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7150453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7150313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7150203s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7150110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7150000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7149907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7149813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7149657s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7149563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7149453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7149360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7149250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7149110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7149000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7148907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7148813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7148703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7148563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7148453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7148360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7148250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7148157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7148063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7147907s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7147813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7147703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7147610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7147500s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7147360s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7147250s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7147157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7147063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7146953s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7146813s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7146703s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7146610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7146500s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7146407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7146313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7146157s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7146063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7145953s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7145860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7145750s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7145610s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7145500s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7145407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7145313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7145203s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7145063s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7144953s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7144860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7144750s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7144657s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7144563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7144407s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7144313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7144203s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7144110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7144000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7143860s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7143750s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7143657s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7143563s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7143453s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7143313s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7143203s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7143110s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7143000s >= -30000s
Source: C:\Users\user\Desktop\Shipping-Document.exe TID: 5452	Thread sleep time: -7142907s >= -30000s

Source: C:\Users\user\Desktop\Shipping-Document.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Shipping-Document.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\

Source: Shipping-Document.exe, 00000005.00000002.492662455.0000000005EC9000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: Shipping-Document.exe, 00000005.00000002.492785493.0000000006090000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.492862252.0000000005DB0000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.492662913.0000000006330000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vlc.exe, 0000001A.00000002.475038821.0000000000402000.00000040.00000001.sdmp	Binary or memory string: EnableAntiVMware
Source: Shipping-Document.exe, 00000005.00000002.492785493.0000000006090000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.492862252.0000000005DB0000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.492662913.0000000006330000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Shipping-Document.exe, 00000005.00000002.492785493.0000000006090000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.492862252.0000000005DB0000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.492662913.0000000006330000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Shipping-Document.exe, 00000005.00000002.492662455.0000000005EC9000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareMicrosoft Basic Display AdapterWin32_VideoControllerMicrosoft Basic Display AdapterVideoController120060621000000.000000-00052351491display.infMSBDAMicrosoft Basic Display AdapterPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsVMwareu8
Source: Shipping-Document.exe, 00000005.00000002.492262599.0000000005E90000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.481282122.0000000001303000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Shipping-Document.exe, 00000005.00000002.492785493.0000000006090000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.492862252.0000000005DB0000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.492662913.0000000006330000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Shipping-Document.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Shipping-Document.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Shipping-Document.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: Shipping-Document.exe, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: vlc.exe.0.dr, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 0.0.Shipping-Document.exe.450000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 0.2.Shipping-Document.exe.450000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 3.2.Shipping-Document.exe.3f0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 3.0.Shipping-Document.exe.3f0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 5.0.Shipping-Document.exe.990000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 5.2.Shipping-Document.exe.990000.1.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 12.2.vlc.exe.be0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 12.0.vlc.exe.be0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 14.0.vlc.exe.b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 14.2.vlc.exe.b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 17.2.vlc.exe.4b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 17.0.vlc.exe.4b0000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 18.0.vlc.exe.230000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 18.2.vlc.exe.230000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 19.0.vlc.exe.90000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 19.2.vlc.exe.90000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 20.2.vlc.exe.190000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')
Source: 20.0.vlc.exe.190000.0.unpack, YtcOIiYW7VgAbHvwdB/kpAZSmNgi4DbiAxh4h.cs	Reference to suspicious API methods: ('r2UtKKWYh', 'GetProcAddress@kernel32'), ('EaY3dNjU5', 'LoadLibrary@kernel32'), ('X1JW1Hd12', 'VirtualProtect@kernel32')

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Shipping-Document.exe	Memory written: C:\Users\user\Desktop\Shipping-Document.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Shipping-Document.exe	Process created: C:\Users\user\Desktop\Shipping-Document.exe C:\Users\user\Desktop\Shipping-Document.exe
Source: C:\Users\user\Desktop\Shipping-Document.exe	Process created: C:\Users\user\Desktop\Shipping-Document.exe C:\Users\user\Desktop\Shipping-Document.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe

Source: Shipping-Document.exe, 00000005.00000002.482595709.00000000017B0000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.482874573.0000000001540000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.483586638.0000000001960000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Shipping-Document.exe, 00000005.00000002.482595709.00000000017B0000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.482874573.0000000001540000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.483586638.0000000001960000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Shipping-Document.exe, 00000005.00000002.482595709.00000000017B0000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.482874573.0000000001540000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.483586638.0000000001960000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Shipping-Document.exe, 00000005.00000002.482595709.00000000017B0000.00000002.00000001.sdmp, vlc.exe, 00000016.00000002.482874573.0000000001540000.00000002.00000001.sdmp, vlc.exe, 0000001A.00000002.483586638.0000000001960000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Shipping-Document.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Users\user\Desktop\Shipping-Document.exe VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Users\user\Desktop\Shipping-Document.exe VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Shipping-Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe

Code function: 12_2_08A44570 GetUserNameA,

Source: C:\Users\user\Desktop\Shipping-Document.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: vlc.exe, 0000001A.00000002.481282122.0000000001303000.00000004.00000020.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Shipping-Document.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information:

Yara detected MassLogger RAT

Show sources

Source: Yara match	File source: 00000000.00000002.292894367.0000000003997000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.474961619.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.392005702.00000000048A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.401816626.00000000040ED000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.474947911.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.475038821.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.399837462.0000000004325000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.380082858.00000000048A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.285012492.0000000003F10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.411380915.0000000003515000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping-Document.exe PID: 1488, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 3440, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping-Document.exe PID: 1364, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 1748, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 1256, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 484, type: MEMORY
Source: Yara match	File source: 26.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Shipping-Document.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\Shipping-Document.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping-Document.exe PID: 1488, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 1256, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 484, type: MEMORY

Remote Access Functionality:

Yara detected MassLogger RAT

Show sources

Source: Yara match	File source: 00000000.00000002.292894367.0000000003997000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.474961619.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.392005702.00000000048A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.401816626.00000000040ED000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.474947911.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.475038821.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.399837462.0000000004325000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.380082858.00000000048A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.285012492.0000000003F10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.411380915.0000000003515000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping-Document.exe PID: 1488, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 3440, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping-Document.exe PID: 1364, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 1748, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 1256, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 484, type: MEMORY
Source: Yara match	File source: 26.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Shipping-Document.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation121	Registry Run Keys / Startup Folder11	Process Injection112	Disable or Modify Tools1	OS Credential Dumping1	Account Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder11	Obfuscated Files or Information1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Masquerading1	Security Account Manager	System Information Discovery25	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion13	NTDS	Security Software Discovery331	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection112	LSA Secrets	Virtualization/Sandbox Evasion13	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Network Configuration Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Shipping-Document.exe	21%	Virustotal		Browse
Shipping-Document.exe	5%	Metadefender		Browse
Shipping-Document.exe	21%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	21%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	5%	Metadefender		Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	21%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Download
26.2.vlc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1139343	Download File
5.2.Shipping-Document.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1139343	Download File
22.2.vlc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1139343	Download File

Domains

Source	Detection	Scanner	Label	Link
cdn.onenote.net	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://api.ipify8	0%	URL Reputation	safe
http://api.ipify8	0%	URL Reputation	safe
http://api.ipify8	0%	URL Reputation	safe
http://api.ipify8	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://api.ipify8v	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://api.ipify.orgD	0%	URL Reputation	safe
http://api.ipify.orgD	0%	URL Reputation	safe
http://api.ipify.orgD	0%	URL Reputation	safe
http://api.ipify.orgD	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://api.ipify8R	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
elb097307-934924932.us-east-1.elb.amazonaws.com	54.243.164.148	true	false		high
api.ipify.org	unknown	unknown	false		high
cdn.onenote.net	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false		high
http://api.ipify.org/p	Shipping-Document.exe, 00000005.00000002.484657984.0000000002EDA000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.485932807.0000000002D0F000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.485514489.0000000003130000.00000004.00000001.sdmp	false		high
http://www.tiro.com	vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://elb097307-934924932.us-east-1.elb.amazonaws.com	Shipping-Document.exe, 00000005.00000002.485116357.0000000002FB4000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.486045579.0000000002D20000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.485599592.0000000003142000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers	vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false		high
http://api.ipify8	vlc.exe, 0000001A.00000002.485514489.0000000003130000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.goodfont.co.kr	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://api.ipify8v	Shipping-Document.exe, 00000005.00000002.485070930.0000000002FAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://api.ipify.org	Shipping-Document.exe, 00000005.00000002.485116357.0000000002FB4000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp	false		high
http://www.sajatypeworks.com	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://api.ipify.orgD	Shipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://api.ipify.org/P	Shipping-Document.exe, 00000005.00000002.484657984.0000000002EDA000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.485932807.0000000002D0F000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.485514489.0000000003130000.00000004.00000001.sdmp	false		high
http://www.codeplex.com/DotNetZip	vlc.exe, 0000001A.00000002.488438717.0000000004091000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers8	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false		high
https://www.youtube.com/watch?v=Qxk6cu21JSg	Shipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp	false		high
http://www.fonts.com	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Shipping-Document.exe, 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, vlc.exe, 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, vlc.exe, 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	Shipping-Document.exe, 00000000.00000002.297409828.0000000005850000.00000002.00000001.sdmp, vlc.exe, 0000000C.00000002.405013728.0000000006110000.00000002.00000001.sdmp, vlc.exe, 0000000E.00000002.426931776.00000000055D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://api.ipify8R	vlc.exe, 00000016.00000002.486012293.0000000002D1B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
54.243.164.148	unknown	United States		14618	AMAZON-AESUS	false
54.235.142.93	unknown	United States		14618	AMAZON-AESUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321421
Start date:	21.11.2020
Start time:	22:20:25
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 10s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Shipping-Document.com (renamed file extension from com to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@25/10@7/3
EGA Information:	Successful, ratio: 80%
HDC Information:	Successful, ratio: 0.4% (good quality ratio 0.4%) Quality average: 71.6% Quality standard deviation: 29.9%
HCA Information:	Successful, ratio: 95% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 104.43.193.48, 104.43.139.144, 51.11.168.160, 2.20.142.209, 2.20.142.210, 51.104.139.180, 92.122.213.194, 92.122.213.247, 20.54.26.129, 92.122.145.220, 104.108.60.202, 84.53.167.113 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, e15275.g.akamaiedge.net, arc.msn.com, cdn.onenote.net.edgekey.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, wildcard.weather.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, e1553.dspg.akamaiedge.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net Execution Graph export aborted for target Shipping-Document.exe, PID 3420 because there are no executed function Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:21:51	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run vlc "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"
22:21:59	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run vlc "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"
22:22:14	API Interceptor	561x Sleep call for process: Shipping-Document.exe modified
22:22:52	API Interceptor	379x Sleep call for process: vlc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54.243.164.148	1119_673423.doc	Get hash	malicious	Browse	api.ipify.org/
	Rewgjqjhqwqn8.exe	Get hash	malicious	Browse	api.ipify.org/
	i3gRY0HYZn.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	mWKfVsuSZAHcuCc.exe	Get hash	malicious	Browse	api.ipify.org/
	Catalogue.exe	Get hash	malicious	Browse	api.ipify.org/
54.235.142.93	RVAgYSH2qh.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	BUILDING ORDER_PROPERTY SPECS.exe	Get hash	malicious	Browse	api.ipify.org/
	1118_8732615.doc	Get hash	malicious	Browse	api.ipify.org/
	XN33CLWH.EXE	Get hash	malicious	Browse	api.ipify.org/
	Al-Hbb_Doc-EUR_Pdf.exe	Get hash	malicious	Browse	api.ipify.org/
	YV2q4nAPVQ.exe	Get hash	malicious	Browse	api.ipify.org/
	1105_748543.doc	Get hash	malicious	Browse	api.ipify.org/
	174028911-035110-sanlccjavap0004-1.exe	Get hash	malicious	Browse	api.ipify.org/
	RFQ-NOV-2020.exe	Get hash	malicious	Browse	api.ipify.org/
	OZmn6gKEgi.exe	Get hash	malicious	Browse	api.ipify.org/
	WFDKJ4wsQ6.exe	Get hash	malicious	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
elb097307-934924932.us-east-1.elb.amazonaws.com	QRN-CLJC-06112020149.PDF.exe	Get hash	malicious	Browse	54.243.161.145
	yQDGREHA9h.exe	Get hash	malicious	Browse	54.235.83.248
	mcsrXx9lfD.exe	Get hash	malicious	Browse	54.235.83.248
	SecuriteInfo.com.Trojan.PackedNET.461.20928.exe	Get hash	malicious	Browse	23.21.42.25
	Defender-update-kit-x86x64.exe	Get hash	malicious	Browse	54.225.153.147
	https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-us	Get hash	malicious	Browse	54.225.66.103
	ORDER.exe	Get hash	malicious	Browse	54.235.142.93
	Bill # 2.xlsx	Get hash	malicious	Browse	23.21.42.25
	PO1.xlsx	Get hash	malicious	Browse	174.129.214.20
	a7UZzCVWKO.exe	Get hash	malicious	Browse	54.204.14.42
	QKLQkaCe9M.exe	Get hash	malicious	Browse	50.19.252.36
	sAPuJAvs52.exe	Get hash	malicious	Browse	54.243.161.145
	JlgyVmPWZr.exe	Get hash	malicious	Browse	174.129.214.20
	EIUOzWW2JX.exe	Get hash	malicious	Browse	174.129.214.20
	RVAgYSH2qh.exe	Get hash	malicious	Browse	54.235.142.93
	yCyc4rN0u8.exe	Get hash	malicious	Browse	54.235.83.248
	9cXAnovmQX.exe	Get hash	malicious	Browse	54.225.66.103
	T2HDck1Mmy.exe	Get hash	malicious	Browse	54.235.142.93
	Purchase Order.exe	Get hash	malicious	Browse	54.225.66.103
	Payment Advice Note from 19.11.2020.exe	Get hash	malicious	Browse	23.21.126.66

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-AESUS	QRN-CLJC-06112020149.PDF.exe	Get hash	malicious	Browse	54.243.161.145
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	52.71.133.130
	Purchase Order 40,7045.exe	Get hash	malicious	Browse	54.208.77.124
	Fennec Pharma .docx	Get hash	malicious	Browse	54.84.56.113
	Fennec Pharma .docx	Get hash	malicious	Browse	54.84.56.113
	Fennec Pharma.xlsx	Get hash	malicious	Browse	54.84.56.113
	Fennec Pharma.xlsx	Get hash	malicious	Browse	54.84.56.113
	https://albanesebros.sendx.io/lp/shared-doc.html	Get hash	malicious	Browse	3.213.165.33
	http://www.openair.com	Get hash	malicious	Browse	34.202.206.65
	https://faxfax.zizera.com/remittanceadvice	Get hash	malicious	Browse	184.73.218.177
	http://webnavigator.co	Get hash	malicious	Browse	34.235.7.64
	https://mcmms.typeform.com/to/Vtnb9OBC	Get hash	malicious	Browse	34.200.62.85
	yQDGREHA9h.exe	Get hash	malicious	Browse	54.235.83.248
	mcsrXx9lfD.exe	Get hash	malicious	Browse	54.235.83.248
	SecuriteInfo.com.Trojan.PackedNET.461.20928.exe	Get hash	malicious	Browse	23.21.42.25
	Defender-update-kit-x86x64.exe	Get hash	malicious	Browse	54.225.153.147
	https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-us	Get hash	malicious	Browse	54.225.66.103
	ORDER.exe	Get hash	malicious	Browse	54.235.142.93
	http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1	Get hash	malicious	Browse	52.1.99.77
	Bill # 2.xlsx	Get hash	malicious	Browse	23.21.42.25
AMAZON-AESUS	QRN-CLJC-06112020149.PDF.exe	Get hash	malicious	Browse	54.243.161.145
	Purchase Order 40,7045$.exe	Get hash	malicious	Browse	52.71.133.130
	Purchase Order 40,7045.exe	Get hash	malicious	Browse	54.208.77.124
	Fennec Pharma .docx	Get hash	malicious	Browse	54.84.56.113
	Fennec Pharma .docx	Get hash	malicious	Browse	54.84.56.113
	Fennec Pharma.xlsx	Get hash	malicious	Browse	54.84.56.113
	Fennec Pharma.xlsx	Get hash	malicious	Browse	54.84.56.113
	https://albanesebros.sendx.io/lp/shared-doc.html	Get hash	malicious	Browse	3.213.165.33
	http://www.openair.com	Get hash	malicious	Browse	34.202.206.65
	https://faxfax.zizera.com/remittanceadvice	Get hash	malicious	Browse	184.73.218.177
	http://webnavigator.co	Get hash	malicious	Browse	34.235.7.64
	https://mcmms.typeform.com/to/Vtnb9OBC	Get hash	malicious	Browse	34.200.62.85
	yQDGREHA9h.exe	Get hash	malicious	Browse	54.235.83.248
	mcsrXx9lfD.exe	Get hash	malicious	Browse	54.235.83.248
	SecuriteInfo.com.Trojan.PackedNET.461.20928.exe	Get hash	malicious	Browse	23.21.42.25
	Defender-update-kit-x86x64.exe	Get hash	malicious	Browse	54.225.153.147
	https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-us	Get hash	malicious	Browse	54.225.66.103
	ORDER.exe	Get hash	malicious	Browse	54.235.142.93
	http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1	Get hash	malicious	Browse	52.1.99.77
	Bill # 2.xlsx	Get hash	malicious	Browse	23.21.42.25

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\AEC365839D\Log.txt Download File
Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1800
Entropy (8bit):	5.4448188256893255
Encrypted:	false
SSDEEP:	24:GSZnNMZxaXok+/RV3kdZzM0f2uVM/viyJ1WhnGyJkdEiPv5J80:GSFAg+/RV3OZI0uuu6MchGJj5J80
MD5:	C34F8BF4E27BB68FA0108BC5A5712E24
SHA1:	FC0B4511A39BD5178205D175D4C548ACED69AF23
SHA-256:	D11FCFABCA1A007F95CCB792F723CF6CC6DE29816E16F50330EAC19D4F54127D
SHA-512:	DA6ECBCBC7F93487951101755D70B52404BAB1AA2EC3513B809DE2E9830FF9E153FCC608773BBB6ABA17706462F3DD3243A19A1F5F9449153949207D7AE8B1FA
Malicious:	false
Reputation:	low
Preview:	<\|\| v2.4.0.0 \|\|>..User Name: user..IP: 84.17.52.25..Location: United States..Windows OS: Microsoft Windows 10 Pro 64bit..Windows Serial Key: VG7NF-BJ77Y-WRF7X-GJVW7-H3M8T..CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..GPU: Microsoft Basic Display Adapter..AV: Windows Defender ..Screen Resolution: 1280x1024..Current Time: 11/21/2020 10:23:00 PM..MassLogger Started: 11/21/2020 10:22:56 PM..Interval: 2 hour..MassLogger Process: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe..MassLogger Melt: false..MassLogger Exit after delivery: false..As Administrator: True..Processes:..Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome..Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome..Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome..Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome..Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome..Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome..Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome..Name:nrsfQCpnoELUtpNHbSOcsFhHJG, Title:Chrome..Name:nrsf

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping-Document.exe.log Download File
Process:	C:\Users\user\Desktop\Shipping-Document.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1119
Entropy (8bit):	5.356708753875314
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
MD5:	3197B1D4714B56F2A6AC9E83761739AE
SHA1:	3B38010F0DF51C1D4D2C020138202DABB686741D
SHA-256:	40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
SHA-512:	58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vlc.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.356708753875314
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
MD5:	3197B1D4714B56F2A6AC9E83761739AE
SHA1:	3B38010F0DF51C1D4D2C020138202DABB686741D
SHA-256:	40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
SHA-512:	58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\DotNetZip-3hg33bsx.tmp Download File
Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	1313
Entropy (8bit):	7.043036922524586
Encrypted:	false
SSDEEP:	24:9wqN/6fFjxKN/Ujj9/ewfbBI6Dt8kme/F0yZhFiR0/xnxN/UjjbZIKN/6fFjGZHb:9xN6NjoNUjj9/PDBHx8kme/7MR8xxNUV
MD5:	DBCE34334D5F6D7582E247A4101BD020
SHA1:	C0D92A5B3A595721D0708901B4EDA33306DAC714
SHA-256:	6CB6784E1A1BB42526FAC9DC4A7EA512EABE2764078BDEE866FC0126A25C4E30
SHA-512:	539FBA7D05E7481FBF47A58DB79CA5B74B706C0646BB23AE62F314DFBAF355395F5A16986D9B969B922FF111066045BFC63672DA79185BA64D72CAF08D4C9FE5
Malicious:	false
Reputation:	low
Preview:	PK.........uQ............2.$.user_United States_AEC365839D_11-21-2020 22.23.4/.. .........................v....PK.........uQ............9.$.user_United States_AEC365839D_11-21-2020 22.23.4/Log.txt.. ...............................[o.0...#.;..V.,d....@[...6..$..0qd;.N\|..@..F...<..\|.?...l.......`...:#...\|...\G.\.../..W~.r.....f0......[4.3.q...<..tD..Q3..k...VPN.}c....../...r.....?r.~..=..O.....uj......._BMi..v.} ;.J...B.."...~.Q.F.P.&....O,j...Q_.g.G....B..C....>...m.._$....[..,K..g.~..(B..a$..q..7...srH....X.].vl..^s....J......aPcAV.....T...-....D<........s..q.....+..E..]..k..q....f\......g$.".b...U.....c5.J3....0...S.....=.I.5.<...h.7?Q.DV[h......g...I..)...{..9t-.Tbt .bw.O...s,..p}..4V....AUe.AH...~7T..FIv.il...[E..,.J.T.....r.....\.g.....$.3.....P-.x.Y..q.{.xL.TjyN..t..g.."..4.::..F.u.xz...yu..Ih.E"].P.U6.N...."CC...FzY.~.e.I.L.?*....7PK.........uQ...........9.$.user_United States_AEC365839D_11-21-2020 22.23.4/Log.txt.. .............

C:\Users\user\AppData\Local\Temp\DotNetZip-4b2ut3ef.tmp Download File
Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	1317
Entropy (8bit):	7.031494974591168
Encrypted:	false
SSDEEP:	24:93NzHNzdj6ETBEVZ/EVKkC71ETR6PaSAEjw1kaOIrENzSZXNzlZJpNzTil:93pHplrlGZ/XHXiPEjw11apSZXplZvpK
MD5:	8132E6EA831C1B6BE4BD2291AADB6039
SHA1:	D976FFAA6CD0E120B8776CFAFB09D7B716ADEEC6
SHA-256:	F530344314CBD18FAD28D37A886B9597EC8DA7497B13EFD859A0D1048CC68F0C
SHA-512:	E61875E84C19AD02AFAB345922335F8CF709F15CD19074A3688122617160ACE1E0E785A346F334B335A8B703FC88DB3360BDABE869CD4E326E9272B10FFCFD1E
Malicious:	false
Reputation:	low
Preview:	PK.........uQ............3.$.user_United States_AEC365839D_11-21-2020 22.22.58/.. .........................}....PK.........uQ............:.$.user_United States_AEC365839D_11-21-2020 22.22.58/Log.txt.. ...............................[o.0...#.;..V.,d. ...e@[Bi.mS^Lr...G.C......J..0M......s...v.k.X.zE....32...W.`.u..un....b.R.....tU.P..Q",.0..q..Hb.l.a. ..VF.,..%..Z.uy..;@-..{\|a0nWz.B..R.Y.<.?...R.\|..C.i.G.n.......J..0...p}.y..(....R...7.unD.MaR._....v....5q.IL.. ..<.Q2.Z....e.i.....T}...\|."d..J..\'..t.\|N.)?..t.-Wwl..^s...........a.`a^........-..._.d...._#.w.B.I.....+..E..[.k..q...PZ.3..{.....g$.b.b.........c5.J3....0...S...&.{wd.^g:x.Lk.k..TZ....j........7.&.S$3C.j?s.Z...@.....\k..D.....i.p.->........n.%1.......%.F.YZ...9.M..././.H..-!..I.g.:?R:..Z...Q.~...Y... ....g.."..4.:>..F.u.x\|...yu..Ih.E"[.P.T>.N...."CK...FzY.~...lH.N.?*.....PK.........uQ.BW........:.$.user_United States_AEC365839D_11-21-2020 22.22.58/Log.txt.. ...........

C:\Users\user\AppData\Local\Temp\DotNetZip-fu3v0fes.tmp Download File
Process:	C:\Users\user\Desktop\Shipping-Document.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	1297
Entropy (8bit):	7.030906938500873
Encrypted:	false
SSDEEP:	24:9rNmNTbeBs5whYIPS9u3ShMBoyoINsn/CbuuKmmNTUZLNUZfzNTs:9rIN76OIPS9uiioyTNsn/CadmmNUZL6g
MD5:	018370A0F32AFAE7CD5FA0B7CA08BF33
SHA1:	F4A3ABD2679619E0476A65D01D090B6F97064F27
SHA-256:	C48C00649DE76CF63D8ED975D6C6926F5E12E46559EFD3F329AF19576AAFF383
SHA-512:	226DCA9CBBF1B4EF9B207D3316B256791FB9D60E954F4655FE6339E1FD64BCFED526B12988DC0AB85A05FB69F4D23F038BA492C49DCBBEAFA432F773AE164729
Malicious:	false
Reputation:	low
Preview:	PK.........uQ............3.$.user_United States_AEC365839D_11-21-2020 22.22.19/.. ...........................PK.........uQ............:.$.user_United States_AEC365839D_11-21-2020 22.22.19/Log.txt.. .........h......h.............mo.0...G.w...4X...j......%.6..$.X.8...N\|.]...F...)yu....;..b...\){e....32.....`.u..u...j.._-.....unU.P..Q",.0..q..Hb.d.n.'"...[8X}..Z.ye&..;D-...\|f0.T..R.Z.Q.<...K...Z.~..B.i.F.........J.I.;...p~.y..(..:]R...7..nD.-aR.....v.....k.....w.a...x@.d....j.........B(.,...~/.(B..........1.j. ...My....Ym..A.G....T.~.....1..l.W.Lw.....J..HS.,J-.ek.V.....Ci..4...a...l.Q.G..X.P.."..jn.f.../j.0..].D..}3M......lx....{..D...Ys......&...4F&-.O.....~.P....@4......S"..p}.4-....A.e.FH...~7..Fi~.q,D......a{.O..c.....x!...-$.$I....#.c..j.E..D.......R.U. ..q!..p..u.......\|......4X..8..n...4k#...#,(z...V$.....by9.R.3._.....7PK.........uQ.A.S}.......:.$.user_United States_AEC365839D_11-21-2020 22.22.19/Log.txt.. .........h......h..........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Download File
Process:	C:\Users\user\Desktop\Shipping-Document.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1631688
Entropy (8bit):	4.471355537934198
Encrypted:	false
SSDEEP:	24576:rZpGi0JaVRMk7p5aYo6KdumheNUSIt2TZ+rSY6GJX1Vgsms38jZcPuUdIZTkLmuD:W
MD5:	47F1684C0075AEA74BB225586D55B6E3
SHA1:	7198622C341F1F6982EB20AC7A431508289DF924
SHA-256:	58BA104E01F9650518E256C03102A8105428E761988CE5905DE77CD45A53AD90
SHA-512:	863AF48BCE8E913D01E43EF0DD6BE8CA683D2B37EFA36AF9F517F76AEC6D99D6975F9797A8069996C591E06737AB3E978FFEAAD6612DE27C285202FD2B0D028A
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 21%, Browse Antivirus: Metadefender, Detection: 5%, Browse Antivirus: ReversingLabs, Detection: 21%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._................................. ... ....@.. ....................................@.................................`...K.... ..p................9........................................................... ............... ..H............text........ ...................... ..`.rsrc...p.... ......................@..@.reloc..............................@..B........................H........>..03...........q...............................................0..?........(....8....8........E........8.....(.... .....:....& ....8......0..d....... ........8........E................0...{...I...[.......8.....{....o....(....(....& ....(....:....&8........ ....(....:....&8......(....& ....8.......Y.. ....(....9k...& ....8`.....(....(....&8 ....{....o....(...... ........8...*(#... ....(....9....& ....8....8?... ....(....9....&8.... T...(....8.....{....(....(....o..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Shipping-Document.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.471355537934198
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Shipping-Document.exe
File size:	1631688
MD5:	47f1684c0075aea74bb225586d55b6e3
SHA1:	7198622c341f1f6982eb20ac7a431508289df924
SHA256:	58ba104e01f9650518e256c03102a8105428e761988ce5905de77cd45a53ad90
SHA512:	863af48bce8e913d01e43ef0dd6be8ca683d2b37efa36af9f517f76aec6d99d6975f9797a8069996c591e06737ab3e978ffeaad6612de27c285202fd2b0d028a
SSDEEP:	24576:rZpGi0JaVRMk7p5aYo6KdumheNUSIt2TZ+rSY6GJX1Vgsms38jZcPuUdIZTkLmuD:W
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_................................. ... ....@.. ....................................@................................

File Icon


Icon Hash:	3dfce089e4c4d4e4

Static PE Info

General
Entrypoint:	0x570bae
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FB8C219 [Sat Nov 21 07:30:33 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	11/7/2019 4:00:00 PM 11/16/2022 4:00:00 AM
Subject Chain	CN=Google LLC, O=Google LLC, L=Mountain View, S=California, C=US
Version:	3
Thumbprint MD5:	463BFA4FA69A9E6C4D8813CCFAAF16EE
Thumbprint SHA-1:	A3958AE522F3C54B878B20D7B0F63711E08666B2
Thumbprint SHA-256:	5F2F2840C6E51D17F09334ADA05D9DCDD9AEEB11AF0AE163816757D539ABE3EE
Serial:	06AEA76BAC46A9E8CFE6D29E45AAF033

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x170b60	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x172000	0x1ba70	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x18ac00	0x39c8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x18e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x16ebb4	0x16ec00	False	0.47218960357	data	4.03017385847	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x172000	0x1ba70	0x1bc00	False	0.202509149775	data	5.19563928652	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x18e000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x172220	0x2320	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x174540	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x184d68	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_ICON	0x188f90	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0x18b538	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 4473920
RT_ICON	0x18c5e0	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x18ca48	0x5a	data
RT_VERSION	0x18caa4	0x374	data
RT_MANIFEST	0x18ce18	0xc55	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018 Google LLC
Assembly Version	1.3.35.451
InternalName	Ulzzwremyvkd6.exe
FileVersion	1.3.35.451
CompanyName	Google LLC
Comments	Google Installer
ProductName	Google Update
ProductVersion	1.3.35.451
FileDescription	Google Installer
OriginalFilename	Ulzzwremyvkd6.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2020 22:22:00.762152910 CET	49721	80	192.168.2.3	54.243.164.148
Nov 21, 2020 22:22:00.864978075 CET	80	49721	54.243.164.148	192.168.2.3
Nov 21, 2020 22:22:00.865180016 CET	49721	80	192.168.2.3	54.243.164.148
Nov 21, 2020 22:22:00.866674900 CET	49721	80	192.168.2.3	54.243.164.148
Nov 21, 2020 22:22:00.969307899 CET	80	49721	54.243.164.148	192.168.2.3
Nov 21, 2020 22:22:00.976836920 CET	80	49721	54.243.164.148	192.168.2.3
Nov 21, 2020 22:22:01.021373034 CET	49721	80	192.168.2.3	54.243.164.148
Nov 21, 2020 22:22:49.953600883 CET	49732	80	192.168.2.3	54.235.142.93
Nov 21, 2020 22:22:50.056014061 CET	80	49732	54.235.142.93	192.168.2.3
Nov 21, 2020 22:22:50.056130886 CET	49732	80	192.168.2.3	54.235.142.93
Nov 21, 2020 22:22:50.056575060 CET	49732	80	192.168.2.3	54.235.142.93
Nov 21, 2020 22:22:50.158710003 CET	80	49732	54.235.142.93	192.168.2.3
Nov 21, 2020 22:22:50.164937019 CET	80	49732	54.235.142.93	192.168.2.3
Nov 21, 2020 22:22:50.212912083 CET	49732	80	192.168.2.3	54.235.142.93
Nov 21, 2020 22:22:58.560981989 CET	49735	80	192.168.2.3	54.235.142.93
Nov 21, 2020 22:22:58.664211988 CET	80	49735	54.235.142.93	192.168.2.3
Nov 21, 2020 22:22:58.664439917 CET	49735	80	192.168.2.3	54.235.142.93
Nov 21, 2020 22:22:58.665633917 CET	49735	80	192.168.2.3	54.235.142.93
Nov 21, 2020 22:22:58.768011093 CET	80	49735	54.235.142.93	192.168.2.3
Nov 21, 2020 22:22:58.773164034 CET	80	49735	54.235.142.93	192.168.2.3
Nov 21, 2020 22:22:58.921525002 CET	49735	80	192.168.2.3	54.235.142.93
Nov 21, 2020 22:23:00.887444973 CET	80	49721	54.243.164.148	192.168.2.3
Nov 21, 2020 22:23:00.888092041 CET	49721	80	192.168.2.3	54.243.164.148

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2020 22:21:09.186827898 CET	64185	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:21:09.222868919 CET	53	64185	8.8.8.8	192.168.2.3
Nov 21, 2020 22:21:09.993848085 CET	65110	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:21:10.031853914 CET	53	65110	8.8.8.8	192.168.2.3
Nov 21, 2020 22:21:10.809195995 CET	58361	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:21:10.836564064 CET	53	58361	8.8.8.8	192.168.2.3
Nov 21, 2020 22:21:13.862592936 CET	63492	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:21:13.889771938 CET	53	63492	8.8.8.8	192.168.2.3
Nov 21, 2020 22:21:14.660721064 CET	60831	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:21:14.687913895 CET	53	60831	8.8.8.8	192.168.2.3
Nov 21, 2020 22:21:15.488516092 CET	60100	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:21:15.515783072 CET	53	60100	8.8.8.8	192.168.2.3
Nov 21, 2020 22:21:16.470161915 CET	53195	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:21:16.497458935 CET	53	53195	8.8.8.8	192.168.2.3
Nov 21, 2020 22:21:17.383024931 CET	50141	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:21:17.410284996 CET	53	50141	8.8.8.8	192.168.2.3
Nov 21, 2020 22:21:18.664967060 CET	53023	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:21:18.700856924 CET	53	53023	8.8.8.8	192.168.2.3
Nov 21, 2020 22:21:19.479413033 CET	49563	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:21:19.507297039 CET	53	49563	8.8.8.8	192.168.2.3
Nov 21, 2020 22:21:20.338855028 CET	51352	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:21:20.366700888 CET	53	51352	8.8.8.8	192.168.2.3
Nov 21, 2020 22:21:21.156471014 CET	59349	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:21:21.183614016 CET	53	59349	8.8.8.8	192.168.2.3
Nov 21, 2020 22:21:21.959223986 CET	57084	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:21:21.994941950 CET	53	57084	8.8.8.8	192.168.2.3
Nov 21, 2020 22:21:22.774533033 CET	58823	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:21:22.801701069 CET	53	58823	8.8.8.8	192.168.2.3
Nov 21, 2020 22:21:33.957308054 CET	57568	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:21:33.984694958 CET	53	57568	8.8.8.8	192.168.2.3
Nov 21, 2020 22:21:59.075335026 CET	50540	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:21:59.112881899 CET	53	50540	8.8.8.8	192.168.2.3
Nov 21, 2020 22:22:00.357954979 CET	54366	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:22:00.385130882 CET	53	54366	8.8.8.8	192.168.2.3
Nov 21, 2020 22:22:00.455102921 CET	53034	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:22:00.482178926 CET	53	53034	8.8.8.8	192.168.2.3
Nov 21, 2020 22:22:07.953336954 CET	57762	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:22:07.980539083 CET	53	57762	8.8.8.8	192.168.2.3
Nov 21, 2020 22:22:11.918097973 CET	55435	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:22:11.955988884 CET	53	55435	8.8.8.8	192.168.2.3
Nov 21, 2020 22:22:43.168602943 CET	50713	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:22:43.196012974 CET	53	50713	8.8.8.8	192.168.2.3
Nov 21, 2020 22:22:49.819142103 CET	56132	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:22:49.846364975 CET	53	56132	8.8.8.8	192.168.2.3
Nov 21, 2020 22:22:49.866417885 CET	58987	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:22:49.893604994 CET	53	58987	8.8.8.8	192.168.2.3
Nov 21, 2020 22:22:52.974126101 CET	56579	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:22:53.017977953 CET	53	56579	8.8.8.8	192.168.2.3
Nov 21, 2020 22:22:57.601746082 CET	60633	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:22:57.639264107 CET	53	60633	8.8.8.8	192.168.2.3
Nov 21, 2020 22:22:57.786498070 CET	61292	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:22:57.813941956 CET	53	61292	8.8.8.8	192.168.2.3
Nov 21, 2020 22:22:58.480577946 CET	63619	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:22:58.507960081 CET	53	63619	8.8.8.8	192.168.2.3
Nov 21, 2020 22:23:16.125009060 CET	64938	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:23:16.126764059 CET	61946	53	192.168.2.3	8.8.8.8
Nov 21, 2020 22:23:16.162115097 CET	53	64938	8.8.8.8	192.168.2.3
Nov 21, 2020 22:23:16.163928032 CET	53	61946	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 21, 2020 22:22:00.357954979 CET	192.168.2.3	8.8.8.8	0x2079	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:00.455102921 CET	192.168.2.3	8.8.8.8	0x1600	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:49.819142103 CET	192.168.2.3	8.8.8.8	0xf7e8	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:49.866417885 CET	192.168.2.3	8.8.8.8	0xe1e4	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:57.786498070 CET	192.168.2.3	8.8.8.8	0x59b2	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:58.480577946 CET	192.168.2.3	8.8.8.8	0xc345	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Nov 21, 2020 22:23:16.125009060 CET	192.168.2.3	8.8.8.8	0xfcb0	Standard query (0)	cdn.onenote.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 21, 2020 22:22:00.385130882 CET	8.8.8.8	192.168.2.3	0x2079	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 22:22:00.385130882 CET	8.8.8.8	192.168.2.3	0x2079	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 22:22:00.385130882 CET	8.8.8.8	192.168.2.3	0x2079	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.243.164.148	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:00.385130882 CET	8.8.8.8	192.168.2.3	0x2079	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.66.103	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:00.385130882 CET	8.8.8.8	192.168.2.3	0x2079	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.252.4	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:00.385130882 CET	8.8.8.8	192.168.2.3	0x2079	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.169.28	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:00.385130882 CET	8.8.8.8	192.168.2.3	0x2079	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.182.194	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:00.385130882 CET	8.8.8.8	192.168.2.3	0x2079	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		174.129.214.20	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:00.385130882 CET	8.8.8.8	192.168.2.3	0x2079	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.252.36	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:00.385130882 CET	8.8.8.8	192.168.2.3	0x2079	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		184.73.247.141	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:00.482178926 CET	8.8.8.8	192.168.2.3	0x1600	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 22:22:00.482178926 CET	8.8.8.8	192.168.2.3	0x1600	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 22:22:00.482178926 CET	8.8.8.8	192.168.2.3	0x1600	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.243.164.148	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:00.482178926 CET	8.8.8.8	192.168.2.3	0x1600	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.66.103	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:00.482178926 CET	8.8.8.8	192.168.2.3	0x1600	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.252.4	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:00.482178926 CET	8.8.8.8	192.168.2.3	0x1600	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.169.28	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:00.482178926 CET	8.8.8.8	192.168.2.3	0x1600	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.182.194	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:00.482178926 CET	8.8.8.8	192.168.2.3	0x1600	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		174.129.214.20	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:00.482178926 CET	8.8.8.8	192.168.2.3	0x1600	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.252.36	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:00.482178926 CET	8.8.8.8	192.168.2.3	0x1600	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		184.73.247.141	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:49.846364975 CET	8.8.8.8	192.168.2.3	0xf7e8	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 22:22:49.846364975 CET	8.8.8.8	192.168.2.3	0xf7e8	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 22:22:49.846364975 CET	8.8.8.8	192.168.2.3	0xf7e8	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.142.93	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:49.846364975 CET	8.8.8.8	192.168.2.3	0xf7e8	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.66.103	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:49.846364975 CET	8.8.8.8	192.168.2.3	0xf7e8	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.252.36	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:49.846364975 CET	8.8.8.8	192.168.2.3	0xf7e8	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.126.66	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:49.846364975 CET	8.8.8.8	192.168.2.3	0xf7e8	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.83.248	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:49.846364975 CET	8.8.8.8	192.168.2.3	0xf7e8	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.252.4	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:49.846364975 CET	8.8.8.8	192.168.2.3	0xf7e8	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.243.161.145	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:49.846364975 CET	8.8.8.8	192.168.2.3	0xf7e8	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		184.73.247.141	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:49.893604994 CET	8.8.8.8	192.168.2.3	0xe1e4	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 22:22:49.893604994 CET	8.8.8.8	192.168.2.3	0xe1e4	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 22:22:49.893604994 CET	8.8.8.8	192.168.2.3	0xe1e4	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.66.103	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:49.893604994 CET	8.8.8.8	192.168.2.3	0xe1e4	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.142.93	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:49.893604994 CET	8.8.8.8	192.168.2.3	0xe1e4	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.252.4	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:49.893604994 CET	8.8.8.8	192.168.2.3	0xe1e4	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.153.147	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:49.893604994 CET	8.8.8.8	192.168.2.3	0xe1e4	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.169.28	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:49.893604994 CET	8.8.8.8	192.168.2.3	0xe1e4	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.243.164.148	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:49.893604994 CET	8.8.8.8	192.168.2.3	0xe1e4	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.42.25	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:49.893604994 CET	8.8.8.8	192.168.2.3	0xe1e4	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.83.248	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:57.813941956 CET	8.8.8.8	192.168.2.3	0x59b2	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 22:22:57.813941956 CET	8.8.8.8	192.168.2.3	0x59b2	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 22:22:57.813941956 CET	8.8.8.8	192.168.2.3	0x59b2	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.142.93	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:57.813941956 CET	8.8.8.8	192.168.2.3	0x59b2	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.66.103	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:57.813941956 CET	8.8.8.8	192.168.2.3	0x59b2	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.252.36	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:57.813941956 CET	8.8.8.8	192.168.2.3	0x59b2	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.126.66	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:57.813941956 CET	8.8.8.8	192.168.2.3	0x59b2	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.83.248	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:57.813941956 CET	8.8.8.8	192.168.2.3	0x59b2	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.252.4	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:57.813941956 CET	8.8.8.8	192.168.2.3	0x59b2	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.243.161.145	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:57.813941956 CET	8.8.8.8	192.168.2.3	0x59b2	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		184.73.247.141	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:58.507960081 CET	8.8.8.8	192.168.2.3	0xc345	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 22:22:58.507960081 CET	8.8.8.8	192.168.2.3	0xc345	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Nov 21, 2020 22:22:58.507960081 CET	8.8.8.8	192.168.2.3	0xc345	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		174.129.214.20	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:58.507960081 CET	8.8.8.8	192.168.2.3	0xc345	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.142.93	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:58.507960081 CET	8.8.8.8	192.168.2.3	0xc345	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.153.147	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:58.507960081 CET	8.8.8.8	192.168.2.3	0xc345	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		184.73.247.141	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:58.507960081 CET	8.8.8.8	192.168.2.3	0xc345	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.252.36	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:58.507960081 CET	8.8.8.8	192.168.2.3	0xc345	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.243.164.148	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:58.507960081 CET	8.8.8.8	192.168.2.3	0xc345	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.169.28	A (IP address)	IN (0x0001)
Nov 21, 2020 22:22:58.507960081 CET	8.8.8.8	192.168.2.3	0xc345	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.42.25	A (IP address)	IN (0x0001)
Nov 21, 2020 22:23:16.162115097 CET	8.8.8.8	192.168.2.3	0xfcb0	No error (0)	cdn.onenote.net	cdn.onenote.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

api.ipify.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49721	54.243.164.148	80	C:\Users\user\Desktop\Shipping-Document.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 22:22:00.866674900 CET	348	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
Nov 21, 2020 22:22:00.976836920 CET	349	IN	HTTP/1.1 200 OK Server: Cowboy Connection: keep-alive Content-Type: text/plain Vary: Origin Date: Sat, 21 Nov 2020 21:22:00 GMT Content-Length: 11 Via: 1.1 vegur Data Raw: 38 34 2e 31 37 2e 35 32 2e 32 35 Data Ascii: 84.17.52.25

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49732	54.235.142.93	80	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 22:22:50.056575060 CET	3658	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
Nov 21, 2020 22:22:50.164937019 CET	3658	IN	HTTP/1.1 200 OK Server: Cowboy Connection: keep-alive Content-Type: text/plain Vary: Origin Date: Sat, 21 Nov 2020 21:22:50 GMT Content-Length: 11 Via: 1.1 vegur Data Raw: 38 34 2e 31 37 2e 35 32 2e 32 35 Data Ascii: 84.17.52.25

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49735	54.235.142.93	80	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe

Timestamp	kBytes transferred	Direction	Data
Nov 21, 2020 22:22:58.665633917 CET	3669	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
Nov 21, 2020 22:22:58.773164034 CET	3675	IN	HTTP/1.1 200 OK Server: Cowboy Connection: keep-alive Content-Type: text/plain Vary: Origin Date: Sat, 21 Nov 2020 21:22:58 GMT Content-Length: 11 Via: 1.1 vegur Data Raw: 38 34 2e 31 37 2e 35 32 2e 32 35 Data Ascii: 84.17.52.25

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Shipping-Document.exe PID: 1364 Parent PID: 5600

General

Start time:	22:21:14
Start date:	21/11/2020
Path:	C:\Users\user\Desktop\Shipping-Document.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Shipping-Document.exe'
Imagebase:	0x450000
File size:	1631688 bytes
MD5 hash:	47F1684C0075AEA74BB225586D55B6E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.292894367.0000000003997000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000003.285012492.0000000003F10000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: Shipping-Document.exe PID: 3420 Parent PID: 1364

General

Start time:	22:21:49
Start date:	21/11/2020
Path:	C:\Users\user\Desktop\Shipping-Document.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Shipping-Document.exe
Imagebase:	0x3f0000
File size:	1631688 bytes
MD5 hash:	47F1684C0075AEA74BB225586D55B6E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: Shipping-Document.exe PID: 1488 Parent PID: 1364

General

Start time:	22:21:50
Start date:	21/11/2020
Path:	C:\Users\user\Desktop\Shipping-Document.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Shipping-Document.exe
Imagebase:	0x990000
File size:	1631688 bytes
MD5 hash:	47F1684C0075AEA74BB225586D55B6E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.483989726.0000000002DE1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000005.00000002.474947911.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: vlc.exe PID: 1748 Parent PID: 3388

General

Start time:	22:22:00
Start date:	21/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
Imagebase:	0xbe0000
File size:	1631688 bytes
MD5 hash:	47F1684C0075AEA74BB225586D55B6E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000C.00000003.392005702.00000000048A0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000C.00000002.399837462.0000000004325000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000C.00000003.380082858.00000000048A0000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 21%, Virustotal, Browse Detection: 5%, Metadefender, Browse Detection: 21%, ReversingLabs
Reputation:	low

Analysis Process: vlc.exe PID: 3440 Parent PID: 3388

General

Start time:	22:22:08
Start date:	21/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
Imagebase:	0xb0000
File size:	1631688 bytes
MD5 hash:	47F1684C0075AEA74BB225586D55B6E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000E.00000003.401816626.00000000040ED000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000E.00000002.411380915.0000000003515000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: vlc.exe PID: 2792 Parent PID: 1748

General

Start time:	22:22:34
Start date:	21/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Imagebase:	0x4b0000
File size:	1631688 bytes
MD5 hash:	47F1684C0075AEA74BB225586D55B6E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: vlc.exe PID: 6052 Parent PID: 1748

General

Start time:	22:22:34
Start date:	21/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Imagebase:	0x230000
File size:	1631688 bytes
MD5 hash:	47F1684C0075AEA74BB225586D55B6E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: vlc.exe PID: 1872 Parent PID: 1748

General

Start time:	22:22:36
Start date:	21/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Imagebase:	0x90000
File size:	1631688 bytes
MD5 hash:	47F1684C0075AEA74BB225586D55B6E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: vlc.exe PID: 4472 Parent PID: 1748

General

Start time:	22:22:37
Start date:	21/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Imagebase:	0x190000
File size:	1631688 bytes
MD5 hash:	47F1684C0075AEA74BB225586D55B6E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: vlc.exe PID: 5352 Parent PID: 1748

General

Start time:	22:22:37
Start date:	21/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Imagebase:	0x10000
File size:	1631688 bytes
MD5 hash:	47F1684C0075AEA74BB225586D55B6E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: vlc.exe PID: 1256 Parent PID: 1748

General

Start time:	22:22:40
Start date:	21/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Imagebase:	0x7ff7488e0000
File size:	1631688 bytes
MD5 hash:	47F1684C0075AEA74BB225586D55B6E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.484501673.0000000002B51000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000016.00000002.474961619.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: vlc.exe PID: 1012 Parent PID: 3440

General

Start time:	22:22:43
Start date:	21/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Imagebase:	0x7ff7488e0000
File size:	1631688 bytes
MD5 hash:	47F1684C0075AEA74BB225586D55B6E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: vlc.exe PID: 4832 Parent PID: 3440

General

Start time:	22:22:45
Start date:	21/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Imagebase:	0x350000
File size:	1631688 bytes
MD5 hash:	47F1684C0075AEA74BB225586D55B6E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: vlc.exe PID: 484 Parent PID: 3440

General

Start time:	22:22:45
Start date:	21/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Imagebase:	0xb10000
File size:	1631688 bytes
MD5 hash:	47F1684C0075AEA74BB225586D55B6E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001A.00000002.484549006.0000000002F71000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000001A.00000002.475038821.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Shipping-Document.com

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: MassLogger

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre