Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report BL FOR SHIPMENT_doc.gz.exe

Overview

General Information

Sample Name:BL FOR SHIPMENT_doc.gz.exe
Analysis ID:338152
MD5:04e43f3aee65c1d03b8c7adfa6d9fce9
SHA1:1bce09b3a5c827d412feea47a86619fa9a7ac94f
SHA256:9fecb65659cb47a10afab901b14904f54384f5481e0ef0331e009bfc580cfe29
Tags:exe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "kyqjbOqsGP2YKsV", "URL: ": "https://M2zxRmp3kpObpEIzJWTy.com", "To: ": "sydney@dicon.md", "ByHost: ": "mail.dicon.md:587", "Password: ": "Hoq8zXmvKJ", "From: ": "sydney@dicon.md"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.665888158.00000000045C4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.1009653360.0000000002E81000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000002.1009653360.0000000002E81000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000001.00000002.1008577891.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: BL FOR SHIPMENT_doc.gz.exe PID: 6440JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.BL FOR SHIPMENT_doc.gz.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: BL FOR SHIPMENT_doc.gz.exe.3976.1.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "kyqjbOqsGP2YKsV", "URL: ": "https://M2zxRmp3kpObpEIzJWTy.com", "To: ": "sydney@dicon.md", "ByHost: ": "mail.dicon.md:587", "Password: ": "Hoq8zXmvKJ", "From: ": "sydney@dicon.md"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: BL FOR SHIPMENT_doc.gz.exeVirustotal: Detection: 28%Perma Link
              Source: BL FOR SHIPMENT_doc.gz.exeReversingLabs: Detection: 17%
              Machine Learning detection for sampleShow sources
              Source: BL FOR SHIPMENT_doc.gz.exeJoe Sandbox ML: detected
              Source: 1.2.BL FOR SHIPMENT_doc.gz.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: BL FOR SHIPMENT_doc.gz.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: BL FOR SHIPMENT_doc.gz.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: https://M2zxRmp3kpObpEIzJWTy.com
              Source: global trafficTCP traffic: 192.168.2.4:49771 -> 194.33.40.40:587
              Source: global trafficTCP traffic: 192.168.2.4:49771 -> 194.33.40.40:587
              Source: unknownDNS traffic detected: queries for: mail.dicon.md
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1009653360.0000000002E81000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1009653360.0000000002E81000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1010094051.00000000031DD000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1010094051.00000000031DD000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1010094051.00000000031DD000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1010094051.00000000031DD000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1010094051.00000000031DD000.00000004.00000001.sdmpString found in binary or memory: http://dicon.md
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1009653360.0000000002E81000.00000004.00000001.sdmpString found in binary or memory: http://fwuwEZ.com
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1010094051.00000000031DD000.00000004.00000001.sdmpString found in binary or memory: http://mail.dicon.md
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1010094051.00000000031DD000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/05
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1010094051.00000000031DD000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1010139904.00000000031FE000.00000004.00000001.sdmpString found in binary or memory: https://M2zxRmp3kpObpEIzJWTy.com
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.665888158.00000000045C4000.00000004.00000001.sdmp, BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1008577891.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1009653360.0000000002E81000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: 1.2.BL FOR SHIPMENT_doc.gz.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b918F0518u002d7F6Eu002d4A76u002d9126u002dC7CB299D37B9u007d/D9348C2Cu002d20BFu002d4203u002d981Bu002d2157C2180C58.csLarge array initialization: .cctor: array initializer size 11923
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: BL FOR SHIPMENT_doc.gz.exe
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeCode function: 0_2_07C9D3800_2_07C9D380
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeCode function: 0_2_07C9DA300_2_07C9DA30
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeCode function: 1_2_0133B5181_2_0133B518
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeCode function: 1_2_013364901_2_01336490
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeCode function: 1_2_053746A01_2_053746A0
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeCode function: 1_2_05373CF61_2_05373CF6
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeCode function: 1_2_053746301_2_05374630
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeCode function: 1_2_053746521_2_05374652
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeCode function: 1_2_053746901_2_05374690
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeCode function: 1_2_064026C31_2_064026C3
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeCode function: 1_2_0640BC501_2_0640BC50
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeCode function: 1_2_06408D181_2_06408D18
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeCode function: 1_2_06409A781_2_06409A78
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeCode function: 1_2_06405A081_2_06405A08
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeCode function: 1_2_064000401_2_06400040
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeCode function: 1_2_064081581_2_06408158
              Source: BL FOR SHIPMENT_doc.gz.exeBinary or memory string: OriginalFilename vs BL FOR SHIPMENT_doc.gz.exe
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.669113666.00000000078C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs BL FOR SHIPMENT_doc.gz.exe
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.665888158.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs BL FOR SHIPMENT_doc.gz.exe
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.665888158.00000000045C4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamewhlDyMZDpWePGzIbeEPZpLr.exe4 vs BL FOR SHIPMENT_doc.gz.exe
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000000.641105525.0000000000CE2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenE vs BL FOR SHIPMENT_doc.gz.exe
              Source: BL FOR SHIPMENT_doc.gz.exeBinary or memory string: OriginalFilename vs BL FOR SHIPMENT_doc.gz.exe
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1013045409.0000000006430000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs BL FOR SHIPMENT_doc.gz.exe
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1008727298.0000000000DA8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs BL FOR SHIPMENT_doc.gz.exe
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1008623295.0000000000B42000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenE vs BL FOR SHIPMENT_doc.gz.exe
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1008577891.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewhlDyMZDpWePGzIbeEPZpLr.exe4 vs BL FOR SHIPMENT_doc.gz.exe
              Source: BL FOR SHIPMENT_doc.gz.exeBinary or memory string: OriginalFilenamenE vs BL FOR SHIPMENT_doc.gz.exe
              Source: BL FOR SHIPMENT_doc.gz.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: BL FOR SHIPMENT_doc.gz.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 1.2.BL FOR SHIPMENT_doc.gz.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 1.2.BL FOR SHIPMENT_doc.gz.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BL FOR SHIPMENT_doc.gz.exe.logJump to behavior
              Source: BL FOR SHIPMENT_doc.gz.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: BL FOR SHIPMENT_doc.gz.exeVirustotal: Detection: 28%
              Source: BL FOR SHIPMENT_doc.gz.exeReversingLabs: Detection: 17%
              Source: unknownProcess created: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exe 'C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exe {path}
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess created: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: BL FOR SHIPMENT_doc.gz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: BL FOR SHIPMENT_doc.gz.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: BL FOR SHIPMENT_doc.gz.exe, ?dde??Vjy?i/zHK???cn???.cs.Net Code: pSSOFDNSnX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.BL FOR SHIPMENT_doc.gz.exe.ce0000.0.unpack, ?dde??Vjy?i/zHK???cn???.cs.Net Code: pSSOFDNSnX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.BL FOR SHIPMENT_doc.gz.exe.ce0000.0.unpack, ?dde??Vjy?i/zHK???cn???.cs.Net Code: pSSOFDNSnX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 1.0.BL FOR SHIPMENT_doc.gz.exe.b40000.0.unpack, ?dde??Vjy?i/zHK???cn???.cs.Net Code: pSSOFDNSnX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 1.2.BL FOR SHIPMENT_doc.gz.exe.b40000.1.unpack, ?dde??Vjy?i/zHK???cn???.cs.Net Code: pSSOFDNSnX System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeCode function: 1_2_014ED95C push eax; ret 1_2_014ED95D
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeCode function: 1_2_014EE28A push eax; ret 1_2_014EE349
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeCode function: 1_2_06407606 push es; iretd 1_2_06407610
              Source: initial sampleStatic PE information: section name: .text entropy: 7.68132853589
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: Process Memory Space: BL FOR SHIPMENT_doc.gz.exe PID: 6440, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.663963919.000000000336D000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.663963919.000000000336D000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeWindow / User API: threadDelayed 1684Jump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeWindow / User API: threadDelayed 8167Jump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exe TID: 6444Thread sleep time: -31500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exe TID: 2192Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exe TID: 6900Thread sleep time: -15679732462653109s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exe TID: 6896Thread sleep count: 1684 > 30Jump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exe TID: 6896Thread sleep count: 8167 > 30Jump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.663963919.000000000336D000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.663963919.000000000336D000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.663963919.000000000336D000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.663963919.000000000336D000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.663963919.000000000336D000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.663963919.000000000336D000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.663963919.000000000336D000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.663963919.000000000336D000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.663963919.000000000336D000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.663963919.000000000336D000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeCode function: 1_2_06409A78 LdrInitializeThunk,1_2_06409A78
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeProcess created: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exe {path}Jump to behavior
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1009523603.00000000018B0000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1009523603.00000000018B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1009523603.00000000018B0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1009523603.00000000018B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000000.00000002.665888158.00000000045C4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1009653360.0000000002E81000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1008577891.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: BL FOR SHIPMENT_doc.gz.exe PID: 6440, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: BL FOR SHIPMENT_doc.gz.exe PID: 3976, type: MEMORY
              Source: Yara matchFile source: 1.2.BL FOR SHIPMENT_doc.gz.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Yara matchFile source: 00000001.00000002.1009653360.0000000002E81000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: BL FOR SHIPMENT_doc.gz.exe PID: 3976, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000000.00000002.665888158.00000000045C4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1009653360.0000000002E81000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1008577891.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: BL FOR SHIPMENT_doc.gz.exe PID: 6440, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: BL FOR SHIPMENT_doc.gz.exe PID: 3976, type: MEMORY
              Source: Yara matchFile source: 1.2.BL FOR SHIPMENT_doc.gz.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion13Credentials in Registry1Security Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion13SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol111SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              BL FOR SHIPMENT_doc.gz.exe28%VirustotalBrowse
              BL FOR SHIPMENT_doc.gz.exe17%ReversingLabsWin32.Trojan.Pwsx
              BL FOR SHIPMENT_doc.gz.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              1.2.BL FOR SHIPMENT_doc.gz.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

              Domains

              SourceDetectionScannerLabelLink
              dicon.md0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://cps.letsencrypt.org00%URL Reputationsafe
              http://cps.letsencrypt.org00%URL Reputationsafe
              http://cps.letsencrypt.org00%URL Reputationsafe
              http://cps.letsencrypt.org00%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://dicon.md0%VirustotalBrowse
              http://dicon.md0%Avira URL Cloudsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              https://M2zxRmp3kpObpEIzJWTy.com0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://fwuwEZ.com0%Avira URL Cloudsafe
              http://r3.i.lencr.org/050%Avira URL Cloudsafe
              http://r3.o.lencr.org00%URL Reputationsafe
              http://r3.o.lencr.org00%URL Reputationsafe
              http://r3.o.lencr.org00%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://mail.dicon.md0%Avira URL Cloudsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
              http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
              http://cps.root-x1.letsencrypt.org00%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              dicon.md
              		194.33.40.40
              		truetrueunknown
              mail.dicon.md
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://M2zxRmp3kpObpEIzJWTy.comtrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1009653360.0000000002E81000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.apache.org/licenses/LICENSE-2.0BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.comBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                      		high
                      http://DynDns.comDynDNSBL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1009653360.0000000002E81000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/?BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://cps.letsencrypt.org0BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1010094051.00000000031DD000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haBL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1009653360.0000000002E81000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                          		high
                          http://www.tiro.comBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                            		high
                            http://www.goodfont.co.krBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cTheBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://dicon.mdBL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1010094051.00000000031DD000.00000004.00000001.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-user.htmlBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://fwuwEZ.comBL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1009653360.0000000002E81000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://r3.i.lencr.org/05BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1010094051.00000000031DD000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://r3.o.lencr.org0BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1010094051.00000000031DD000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://mail.dicon.mdBL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1010094051.00000000031DD000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers8BL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.fonts.comBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sakkal.comBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.667695107.0000000006160000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipBL FOR SHIPMENT_doc.gz.exe, 00000000.00000002.665888158.00000000045C4000.00000004.00000001.sdmp, BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1008577891.0000000000402000.00000040.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://cps.root-x1.letsencrypt.org0BL FOR SHIPMENT_doc.gz.exe, 00000001.00000002.1010094051.00000000031DD000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    194.33.40.40
                                    		unknownMoldova Republic of
                                    		206698AMPLICAMDtrue

                                    General Information

                                    Joe Sandbox Version:31.0.0 Red Diamond
                                    Analysis ID:338152
                                    Start date:11.01.2021
                                    Start time:18:12:09
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 7m 50s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:BL FOR SHIPMENT_doc.gz.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:17
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@3/1@2/1
                                    EGA Information:Failed
                                    HDC Information:Failed
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 30
                                    • Number of non-executed functions: 1
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .exe
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                    • Excluded IPs from analysis (whitelisted): 13.88.21.125, 52.255.188.83, 51.104.139.180, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129, 8.248.133.254, 8.248.149.254, 67.26.137.254, 8.248.131.254, 67.27.233.254, 51.11.168.160
                                    • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    18:13:00API Interceptor1100x Sleep call for process: BL FOR SHIPMENT_doc.gz.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASN

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    AMPLICAMD15#U043e #U0437#U0430#U043a#U0430#U0437#U0435.jsGet hashmaliciousBrowse
                                    • 185.165.242.5

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BL FOR SHIPMENT_doc.gz.exe.log
                                    Process:C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.355304211458859
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                    MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                    SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                    SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                    SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                    Malicious:true
                                    Reputation:high, very likely benign file
                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.672462819594914
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                    • Win32 Executable (generic) a (10002005/4) 49.97%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:BL FOR SHIPMENT_doc.gz.exe
                                    File size:868352
                                    MD5:04e43f3aee65c1d03b8c7adfa6d9fce9
                                    SHA1:1bce09b3a5c827d412feea47a86619fa9a7ac94f
                                    SHA256:9fecb65659cb47a10afab901b14904f54384f5481e0ef0331e009bfc580cfe29
                                    SHA512:0150f88de48b441f8280a57afa2da62db8d96030aa7d76216ea27a2ebec2077aba2bd6944940fb2241f26e8f45d996d7d49760a205e12f9797aaff2549d6dcd9
                                    SSDEEP:12288:8+YIt10emnVKrlQksJo6DIDn5WT54ETEE5VJAoWEaDr/HZiB41ab5qMp9meTH:NYq1bmn4rjsywT3YE5VJAxvD08op9/T
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p._.................4..........^R... ........@.. ....................................@................................

                                    File Icon

                                    Icon Hash:00828e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0x4d525e
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                    Time Stamp:0x5FFC7099 [Mon Jan 11 15:36:57 2021 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:v4.0.30319
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xd52080x53.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xd60000x800.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xd80000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xd32640xd3400False0.813755085059data7.68132853589IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                    .rsrc0xd60000x8000x800False0.3330078125data3.49311095127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xd80000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_VERSION0xd60900x388data
                                    RT_MANIFEST0xd64280x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Version Infos

                                    DescriptionData
                                    Translation0x0000 0x04b0
                                    LegalCopyrightCopyright Overwolf 2011 - 2020
                                    Assembly Version2.159.0.0
                                    InternalNamen.exe
                                    FileVersion2.159.0.0
                                    CompanyNameOverwolf Ltd.
                                    LegalTrademarks
                                    CommentsOverwolf Launcher
                                    ProductNameOverwolfLauncher
                                    ProductVersion2.159.0.0
                                    FileDescriptionOverwolfLauncher
                                    OriginalFilenamen.exe

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 11, 2021 18:14:42.559436083 CET49771587192.168.2.4194.33.40.40
                                    Jan 11, 2021 18:14:42.637659073 CET58749771194.33.40.40192.168.2.4
                                    Jan 11, 2021 18:14:42.637816906 CET49771587192.168.2.4194.33.40.40
                                    Jan 11, 2021 18:14:42.861222029 CET58749771194.33.40.40192.168.2.4
                                    Jan 11, 2021 18:14:42.861852884 CET49771587192.168.2.4194.33.40.40
                                    Jan 11, 2021 18:14:42.945286036 CET58749771194.33.40.40192.168.2.4
                                    Jan 11, 2021 18:14:42.945712090 CET49771587192.168.2.4194.33.40.40
                                    Jan 11, 2021 18:14:43.030203104 CET58749771194.33.40.40192.168.2.4
                                    Jan 11, 2021 18:14:43.074209929 CET49771587192.168.2.4194.33.40.40
                                    Jan 11, 2021 18:14:43.118367910 CET49771587192.168.2.4194.33.40.40
                                    Jan 11, 2021 18:14:43.236181974 CET58749771194.33.40.40192.168.2.4
                                    Jan 11, 2021 18:14:43.239213943 CET58749771194.33.40.40192.168.2.4
                                    Jan 11, 2021 18:14:43.239265919 CET58749771194.33.40.40192.168.2.4
                                    Jan 11, 2021 18:14:43.239305019 CET58749771194.33.40.40192.168.2.4
                                    Jan 11, 2021 18:14:43.239357948 CET49771587192.168.2.4194.33.40.40
                                    Jan 11, 2021 18:14:43.248747110 CET49771587192.168.2.4194.33.40.40
                                    Jan 11, 2021 18:14:43.327022076 CET58749771194.33.40.40192.168.2.4
                                    Jan 11, 2021 18:14:43.327749014 CET58749771194.33.40.40192.168.2.4
                                    Jan 11, 2021 18:14:43.371118069 CET49771587192.168.2.4194.33.40.40
                                    Jan 11, 2021 18:14:43.613140106 CET49771587192.168.2.4194.33.40.40
                                    Jan 11, 2021 18:14:43.693869114 CET58749771194.33.40.40192.168.2.4
                                    Jan 11, 2021 18:14:43.695502043 CET49771587192.168.2.4194.33.40.40
                                    Jan 11, 2021 18:14:43.774070024 CET58749771194.33.40.40192.168.2.4
                                    Jan 11, 2021 18:14:43.775563002 CET49771587192.168.2.4194.33.40.40
                                    Jan 11, 2021 18:14:43.869687080 CET58749771194.33.40.40192.168.2.4
                                    Jan 11, 2021 18:14:43.871118069 CET49771587192.168.2.4194.33.40.40
                                    Jan 11, 2021 18:14:43.949812889 CET58749771194.33.40.40192.168.2.4
                                    Jan 11, 2021 18:14:43.950710058 CET49771587192.168.2.4194.33.40.40
                                    Jan 11, 2021 18:14:44.029705048 CET58749771194.33.40.40192.168.2.4
                                    Jan 11, 2021 18:14:44.030528069 CET49771587192.168.2.4194.33.40.40
                                    Jan 11, 2021 18:14:44.108799934 CET58749771194.33.40.40192.168.2.4
                                    Jan 11, 2021 18:14:44.111227036 CET49771587192.168.2.4194.33.40.40
                                    Jan 11, 2021 18:14:44.111510038 CET49771587192.168.2.4194.33.40.40
                                    Jan 11, 2021 18:14:44.112556934 CET49771587192.168.2.4194.33.40.40
                                    Jan 11, 2021 18:14:44.112760067 CET49771587192.168.2.4194.33.40.40
                                    Jan 11, 2021 18:14:44.189486027 CET58749771194.33.40.40192.168.2.4
                                    Jan 11, 2021 18:14:44.189588070 CET58749771194.33.40.40192.168.2.4
                                    Jan 11, 2021 18:14:44.190604925 CET58749771194.33.40.40192.168.2.4
                                    Jan 11, 2021 18:14:44.190726995 CET58749771194.33.40.40192.168.2.4
                                    Jan 11, 2021 18:14:44.427582026 CET58749771194.33.40.40192.168.2.4
                                    Jan 11, 2021 18:14:44.468312979 CET49771587192.168.2.4194.33.40.40

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 11, 2021 18:12:49.464170933 CET6454953192.168.2.48.8.8.8
                                    Jan 11, 2021 18:12:49.512180090 CET53645498.8.8.8192.168.2.4
                                    Jan 11, 2021 18:12:50.583703995 CET6315353192.168.2.48.8.8.8
                                    Jan 11, 2021 18:12:50.631527901 CET53631538.8.8.8192.168.2.4
                                    Jan 11, 2021 18:12:52.270781040 CET5299153192.168.2.48.8.8.8
                                    Jan 11, 2021 18:12:52.318659067 CET53529918.8.8.8192.168.2.4
                                    Jan 11, 2021 18:12:53.491065979 CET5370053192.168.2.48.8.8.8
                                    Jan 11, 2021 18:12:53.540293932 CET53537008.8.8.8192.168.2.4
                                    Jan 11, 2021 18:12:54.771020889 CET5172653192.168.2.48.8.8.8
                                    Jan 11, 2021 18:12:54.819034100 CET53517268.8.8.8192.168.2.4
                                    Jan 11, 2021 18:12:55.708014965 CET5679453192.168.2.48.8.8.8
                                    Jan 11, 2021 18:12:55.755938053 CET53567948.8.8.8192.168.2.4
                                    Jan 11, 2021 18:12:56.842890978 CET5653453192.168.2.48.8.8.8
                                    Jan 11, 2021 18:12:56.902055025 CET53565348.8.8.8192.168.2.4
                                    Jan 11, 2021 18:12:58.026612997 CET5662753192.168.2.48.8.8.8
                                    Jan 11, 2021 18:12:58.077466011 CET53566278.8.8.8192.168.2.4
                                    Jan 11, 2021 18:12:58.837728977 CET5662153192.168.2.48.8.8.8
                                    Jan 11, 2021 18:12:58.888622046 CET53566218.8.8.8192.168.2.4
                                    Jan 11, 2021 18:12:59.635940075 CET6311653192.168.2.48.8.8.8
                                    Jan 11, 2021 18:12:59.683841944 CET53631168.8.8.8192.168.2.4
                                    Jan 11, 2021 18:13:00.618387938 CET6407853192.168.2.48.8.8.8
                                    Jan 11, 2021 18:13:00.669015884 CET53640788.8.8.8192.168.2.4
                                    Jan 11, 2021 18:13:01.396958113 CET6480153192.168.2.48.8.8.8
                                    Jan 11, 2021 18:13:01.444984913 CET53648018.8.8.8192.168.2.4
                                    Jan 11, 2021 18:13:02.156285048 CET6172153192.168.2.48.8.8.8
                                    Jan 11, 2021 18:13:02.204107046 CET53617218.8.8.8192.168.2.4
                                    Jan 11, 2021 18:13:02.917515039 CET5125553192.168.2.48.8.8.8
                                    Jan 11, 2021 18:13:02.968255043 CET53512558.8.8.8192.168.2.4
                                    Jan 11, 2021 18:13:14.248281002 CET6152253192.168.2.48.8.8.8
                                    Jan 11, 2021 18:13:14.299212933 CET53615228.8.8.8192.168.2.4
                                    Jan 11, 2021 18:13:17.927120924 CET5233753192.168.2.48.8.8.8
                                    Jan 11, 2021 18:13:17.985075951 CET53523378.8.8.8192.168.2.4
                                    Jan 11, 2021 18:13:31.205475092 CET5504653192.168.2.48.8.8.8
                                    Jan 11, 2021 18:13:31.309273958 CET53550468.8.8.8192.168.2.4
                                    Jan 11, 2021 18:13:31.873848915 CET4961253192.168.2.48.8.8.8
                                    Jan 11, 2021 18:13:31.985476017 CET53496128.8.8.8192.168.2.4
                                    Jan 11, 2021 18:13:32.586378098 CET4928553192.168.2.48.8.8.8
                                    Jan 11, 2021 18:13:32.642829895 CET53492858.8.8.8192.168.2.4
                                    Jan 11, 2021 18:13:33.081886053 CET5060153192.168.2.48.8.8.8
                                    Jan 11, 2021 18:13:33.140909910 CET53506018.8.8.8192.168.2.4
                                    Jan 11, 2021 18:13:33.206767082 CET6087553192.168.2.48.8.8.8
                                    Jan 11, 2021 18:13:33.265825033 CET53608758.8.8.8192.168.2.4
                                    Jan 11, 2021 18:13:33.604794025 CET5644853192.168.2.48.8.8.8
                                    Jan 11, 2021 18:13:33.661056995 CET53564488.8.8.8192.168.2.4
                                    Jan 11, 2021 18:13:34.221616030 CET5917253192.168.2.48.8.8.8
                                    Jan 11, 2021 18:13:34.280769110 CET53591728.8.8.8192.168.2.4
                                    Jan 11, 2021 18:13:34.867137909 CET6242053192.168.2.48.8.8.8
                                    Jan 11, 2021 18:13:34.926578045 CET53624208.8.8.8192.168.2.4
                                    Jan 11, 2021 18:13:35.735361099 CET6057953192.168.2.48.8.8.8
                                    Jan 11, 2021 18:13:35.794492006 CET53605798.8.8.8192.168.2.4
                                    Jan 11, 2021 18:13:36.685787916 CET5018353192.168.2.48.8.8.8
                                    Jan 11, 2021 18:13:36.733956099 CET53501838.8.8.8192.168.2.4
                                    Jan 11, 2021 18:13:37.153882027 CET6153153192.168.2.48.8.8.8
                                    Jan 11, 2021 18:13:37.213567972 CET53615318.8.8.8192.168.2.4
                                    Jan 11, 2021 18:13:39.725151062 CET4922853192.168.2.48.8.8.8
                                    Jan 11, 2021 18:13:39.776146889 CET53492288.8.8.8192.168.2.4
                                    Jan 11, 2021 18:13:49.024144888 CET5979453192.168.2.48.8.8.8
                                    Jan 11, 2021 18:13:49.072282076 CET53597948.8.8.8192.168.2.4
                                    Jan 11, 2021 18:13:49.217411041 CET5591653192.168.2.48.8.8.8
                                    Jan 11, 2021 18:13:49.289505005 CET53559168.8.8.8192.168.2.4
                                    Jan 11, 2021 18:13:51.394382000 CET5275253192.168.2.48.8.8.8
                                    Jan 11, 2021 18:13:51.454652071 CET53527528.8.8.8192.168.2.4
                                    Jan 11, 2021 18:14:24.312299013 CET6054253192.168.2.48.8.8.8
                                    Jan 11, 2021 18:14:24.363344908 CET53605428.8.8.8192.168.2.4
                                    Jan 11, 2021 18:14:26.142430067 CET6068953192.168.2.48.8.8.8
                                    Jan 11, 2021 18:14:26.208874941 CET53606898.8.8.8192.168.2.4
                                    Jan 11, 2021 18:14:42.143096924 CET6420653192.168.2.48.8.8.8
                                    Jan 11, 2021 18:14:42.242369890 CET53642068.8.8.8192.168.2.4
                                    Jan 11, 2021 18:14:42.278589010 CET5090453192.168.2.48.8.8.8
                                    Jan 11, 2021 18:14:42.466648102 CET53509048.8.8.8192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                    Jan 11, 2021 18:14:42.143096924 CET192.168.2.48.8.8.80x1c8eStandard query (0)mail.dicon.mdA (IP address)IN (0x0001)
                                    Jan 11, 2021 18:14:42.278589010 CET192.168.2.48.8.8.80x83e6Standard query (0)mail.dicon.mdA (IP address)IN (0x0001)

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                    Jan 11, 2021 18:14:42.242369890 CET8.8.8.8192.168.2.40x1c8eNo error (0)mail.dicon.mddicon.mdCNAME (Canonical name)IN (0x0001)
                                    Jan 11, 2021 18:14:42.242369890 CET8.8.8.8192.168.2.40x1c8eNo error (0)dicon.md194.33.40.40A (IP address)IN (0x0001)
                                    Jan 11, 2021 18:14:42.466648102 CET8.8.8.8192.168.2.40x83e6No error (0)mail.dicon.mddicon.mdCNAME (Canonical name)IN (0x0001)
                                    Jan 11, 2021 18:14:42.466648102 CET8.8.8.8192.168.2.40x83e6No error (0)dicon.md194.33.40.40A (IP address)IN (0x0001)

                                    SMTP Packets

                                    TimestampSource PortDest PortSource IPDest IPCommands
                                    Jan 11, 2021 18:14:42.861222029 CET58749771194.33.40.40192.168.2.4220-web2.amplica.net ESMTP Exim 4.93 #2 Mon, 11 Jan 2021 19:14:42 +0200
                                    220-We do not authorize the use of this system to transport unsolicited,
                                    220 and/or bulk e-mail.
                                    Jan 11, 2021 18:14:42.861852884 CET49771587192.168.2.4194.33.40.40EHLO 830021
                                    Jan 11, 2021 18:14:42.945286036 CET58749771194.33.40.40192.168.2.4250-web2.amplica.net Hello 830021 [84.17.52.74]
                                    250-SIZE 83886080
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Jan 11, 2021 18:14:42.945712090 CET49771587192.168.2.4194.33.40.40STARTTLS
                                    Jan 11, 2021 18:14:43.030203104 CET58749771194.33.40.40192.168.2.4220 TLS go ahead

                                    Code Manipulations

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    Analysis Process: BL FOR SHIPMENT_doc.gz.exe PID: 6440 Parent PID: 5904

                                    General

                                    Start time:18:12:54
                                    Start date:11/01/2021
                                    Path:C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exe'
                                    Imagebase:0xce0000
                                    File size:868352 bytes
                                    MD5 hash:04E43F3AEE65C1D03B8C7ADFA6D9FCE9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.665888158.00000000045C4000.00000004.00000001.sdmp, Author: Joe Security
                                    Reputation:low

                                    Chronological Activities

                                    Analysis Process: BL FOR SHIPMENT_doc.gz.exe PID: 3976 Parent PID: 6440

                                    General

                                    Start time:18:13:03
                                    Start date:11/01/2021
                                    Path:C:\Users\user\Desktop\BL FOR SHIPMENT_doc.gz.exe
                                    Wow64 process (32bit):true
                                    Commandline:{path}
                                    Imagebase:0xb40000
                                    File size:868352 bytes
                                    MD5 hash:04E43F3AEE65C1D03B8C7ADFA6D9FCE9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1009653360.0000000002E81000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1009653360.0000000002E81000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1008577891.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                    Reputation:low

                                    Chronological Activities

                                    Disassembly

                                    Code Analysis

                                    Reset < >

                                      Analysis Process: BL FOR SHIPMENT_doc.gz.exe PID: 6440 Parent PID: 5904 BL FOR SHIPMENT_doc.gz.exeCOMMON

                                      Executed Functions

                                      Function 07C9D380, Relevance: .4, Instructions: 440COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.669878299.0000000007C90000.00000040.00000001.sdmp, Offset: 07C90000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e69ad7c540c261e9f63d5f2b7a55b95fa59e1e833312943ecb2bb8474b69b749
                                      • Instruction ID: 68ffb531f2f7a80843252d8c75ef05d9b7cde441e43580e9509bc8c13ed556c3
                                      • Opcode Fuzzy Hash: e69ad7c540c261e9f63d5f2b7a55b95fa59e1e833312943ecb2bb8474b69b749
                                      • Instruction Fuzzy Hash: 15125B74A10219CFCF54DF68D888A9DB7B2FF85304F5185A5E90AAB225DB30EE85CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 07C9DA30, Relevance: .9, Instructions: 893COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.669878299.0000000007C90000.00000040.00000001.sdmp, Offset: 07C90000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1ffabbb82dc230d28f9d1dc8f915e02249fdb9d7229f65d06096d2eea944016d
                                      • Instruction ID: 18effe5a1d4e7fbefac78e60d563a8779adc9631904ba6ee0e79b1d7e05fd619
                                      • Opcode Fuzzy Hash: 1ffabbb82dc230d28f9d1dc8f915e02249fdb9d7229f65d06096d2eea944016d
                                      • Instruction Fuzzy Hash: 4B724AB5E0021ACFCF54CFA8C888AADBBB1FF45300F1585A9D546BB255D7309E91CB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Analysis Process: BL FOR SHIPMENT_doc.gz.exe PID: 3976 Parent PID: 6440 BL FOR SHIPMENT_doc.gz.exeCOMMON

                                      Executed Functions

                                      Function 06409A78, Relevance: 2.8, APIs: 1, Instructions: 1293COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1013008218.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a69010f2832ff5ed30631b7fec4358e9ce26ee030234320b91b709112844d50a
                                      • Instruction ID: bf827a3bc7593d992f6a392e288e9c0332bb2a9f75fa5cd50ed92eeab762c442
                                      • Opcode Fuzzy Hash: a69010f2832ff5ed30631b7fec4358e9ce26ee030234320b91b709112844d50a
                                      • Instruction Fuzzy Hash: 85B27030E002198FDB65DF78C85479EB7F1AF89300F1185AAD509EB3A5EB349D85CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 05373CF6, Relevance: 1.8, APIs: 1, Instructions: 325COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1010787276.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 43aa7858e2b755abfa413ee80f20dad902a0905f9badd03367339e2f38921a24
                                      • Instruction ID: 7e797952a67c919716401f05cb112dad423a14f6432a9deb98a8b8da0daa2ccf
                                      • Opcode Fuzzy Hash: 43aa7858e2b755abfa413ee80f20dad902a0905f9badd03367339e2f38921a24
                                      • Instruction Fuzzy Hash: 4BC17474B006098FDB24EF79C49465EBBF2FF88204B108A2DD51ADB755DF78E9018B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0537691F, Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 053769A0
                                      • GetCurrentThread.KERNEL32 ref: 053769DD
                                      • GetCurrentProcess.KERNEL32 ref: 05376A1A
                                      • GetCurrentThreadId.KERNEL32 ref: 05376A73
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1010787276.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: 2bbf3cf036e8143dd141f1f06af5885ccbf8aeebecc5e302a489c8c209611be5
                                      • Instruction ID: eba5aa6ccda0bcc280272cd854e9c57db78070fb9fecc703f4076b3be270d748
                                      • Opcode Fuzzy Hash: 2bbf3cf036e8143dd141f1f06af5885ccbf8aeebecc5e302a489c8c209611be5
                                      • Instruction Fuzzy Hash: 275167B0D046499FDB14CFAAC949BDEBFF0EF89314F24846AE449A7390DB785844CB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 05376940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 053769A0
                                      • GetCurrentThread.KERNEL32 ref: 053769DD
                                      • GetCurrentProcess.KERNEL32 ref: 05376A1A
                                      • GetCurrentThreadId.KERNEL32 ref: 05376A73
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1010787276.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: c9cc7813948e28c050ca6c904777df9a1dabdcb846ce67cd9f260e430df63568
                                      • Instruction ID: 8cc5b2287981c407de57545a489a0e45afc93ca3d0693e573ed92b9bfd815dbd
                                      • Opcode Fuzzy Hash: c9cc7813948e28c050ca6c904777df9a1dabdcb846ce67cd9f260e430df63568
                                      • Instruction Fuzzy Hash: 2C5144B0D006499FDB14CFAAC649BDEBFF1AF88314F24846AE449A7390DB785844CF61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0640B960, Relevance: 1.7, APIs: 1, Instructions: 175libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1013008218.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 589a77403e411b8ac8dd8bfb2d654b1f4e389b31b1c7cf40691260c2f06d09bb
                                      • Instruction ID: ba9276b295a81d2cca5adb6cd1a9656b332c6edc96e66f2c07bbaefb058b6145
                                      • Opcode Fuzzy Hash: 589a77403e411b8ac8dd8bfb2d654b1f4e389b31b1c7cf40691260c2f06d09bb
                                      • Instruction Fuzzy Hash: 78511231B002059FDB54EBB4D844AAE77F6EF85210F14856AE506DB3A5DF74E804CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0537500F, Relevance: 1.7, APIs: 1, Instructions: 156COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1010787276.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bc1a3a3aff0379c9a2fa51d478dc4c251e43822ae019888427f15f3ac9b78fee
                                      • Instruction ID: 89eaf9d18928bd8dd890df89215b4f07414552ec4c57186ec3802e7e6ecac1fd
                                      • Opcode Fuzzy Hash: bc1a3a3aff0379c9a2fa51d478dc4c251e43822ae019888427f15f3ac9b78fee
                                      • Instruction Fuzzy Hash: 386112B1C0424DAFDF16CFA5C884ACDBFB1BF49310F25816AE808AB261D7759855CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0640B9C0, Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1013008218.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 2cfd73a4833a92dc3c28769e83999a3d1655cafc0dba77572ade7cebb022591c
                                      • Instruction ID: 31f7ab35e179f5a29001200f559216c8c34faac5a002413fa187bbbf77636885
                                      • Opcode Fuzzy Hash: 2cfd73a4833a92dc3c28769e83999a3d1655cafc0dba77572ade7cebb022591c
                                      • Instruction Fuzzy Hash: 1751A371B0021A9FDB14EFB4D854AAEB7E5FF85214B148A29D502DB395DF74EC04CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0640E038, Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1013008218.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: af1fe190b601436c76aa34fd3111e6a11d1ca54bfc48c8fa8be36cccf349c581
                                      • Instruction ID: aaaf4323e3861204b8fee71d5a02e6761262e4971630aff3cdaa226c300d13ab
                                      • Opcode Fuzzy Hash: af1fe190b601436c76aa34fd3111e6a11d1ca54bfc48c8fa8be36cccf349c581
                                      • Instruction Fuzzy Hash: 18414172E083658FDB04DFB9D8006DABBB5EF89220F15856BD504E7391DB789891CBE0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 05375090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053751A2
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1010787276.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false
                                      Similarity
                                      • API ID: CreateWindow
                                      • String ID:
                                      • API String ID: 716092398-0
                                      • Opcode ID: a1c51c033aad4a163197afe1ff0061a198fcbbbc5d9a76bb3e63365459b3b3c3
                                      • Instruction ID: cc4879baf648dd5b9b684586d4ba6e31eeff9099307baa8bf1f8e3193361b8ea
                                      • Opcode Fuzzy Hash: a1c51c033aad4a163197afe1ff0061a198fcbbbc5d9a76bb3e63365459b3b3c3
                                      • Instruction Fuzzy Hash: A941B0B1D1034D9FDF14CF9AC884ADEBBB5BF88314F64812AE819AB210D7749945CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 05376C2A, Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05376BEF
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1010787276.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 7fd499870b8ce4903dd4dd39fd5964d9b472e92fdea3d2318a4ee405e323220e
                                      • Instruction ID: 4202a3b55637dbfdc835a869c44e46bd144dd1f3fd534b6bc4bbc69a1c7436cb
                                      • Opcode Fuzzy Hash: 7fd499870b8ce4903dd4dd39fd5964d9b472e92fdea3d2318a4ee405e323220e
                                      • Instruction Fuzzy Hash: 9E417C74A103499FE714AFA1EA9EBA93FF5E788314F504529FA099B7C4CB745801CF21
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0537779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                      Download Yara Rule
                                      APIs
                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 05377F01
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1010787276.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false
                                      Similarity
                                      • API ID: CallProcWindow
                                      • String ID:
                                      • API String ID: 2714655100-0
                                      • Opcode ID: 9d4358d81024c77456f8f6b8862209ddc7975cf3dff65d25bf1b9621de30766e
                                      • Instruction ID: 5112530245236ced6cc9b287e1cacdafa72bc68839fc313fbd7aabb2f088d7ff
                                      • Opcode Fuzzy Hash: 9d4358d81024c77456f8f6b8862209ddc7975cf3dff65d25bf1b9621de30766e
                                      • Instruction Fuzzy Hash: CF412CB4900309DFDB14CF55C448BAABBF5FF88314F158459E519AB361D774A841CFA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0537C109, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlEncodePointer.NTDLL(00000000), ref: 0537C192
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1010787276.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false
                                      Similarity
                                      • API ID: EncodePointer
                                      • String ID:
                                      • API String ID: 2118026453-0
                                      • Opcode ID: 66fd2037d8f52d7825620b6981a4489e39db1082f386172222fe4d34e9e82f47
                                      • Instruction ID: eda5cbba7588a0ff505d9bbd2137cf4063c76a89ab819228bad6422ad826f499
                                      • Opcode Fuzzy Hash: 66fd2037d8f52d7825620b6981a4489e39db1082f386172222fe4d34e9e82f47
                                      • Instruction Fuzzy Hash: D731E0708043898FDB20DFA9DA593DEBFF4FB46318F14906AD448A7642C7796904CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 05376B62, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05376BEF
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1010787276.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: fae17680dbd24b76e0a08b5c6a4436dcc5b045ffaf08f6bd12a3f029d59dfbbe
                                      • Instruction ID: fc87edb2ac8b10a728fa85a1e912ffb00e0b1e45cb607864446ab56e5c86554c
                                      • Opcode Fuzzy Hash: fae17680dbd24b76e0a08b5c6a4436dcc5b045ffaf08f6bd12a3f029d59dfbbe
                                      • Instruction Fuzzy Hash: E521E5B5D002499FDB10CF9AD985BDEBFF8EB48320F14842AE914A3350D378A944CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 05376B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05376BEF
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1010787276.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 07047c0f2859eed538ecb9ab4813d5b1eaf761862a3de6d83026ace97dc313fe
                                      • Instruction ID: f29084d9d6eda8b63b39f7f084edef561a6e69a1c77fae6c06cacd1adbd3643f
                                      • Opcode Fuzzy Hash: 07047c0f2859eed538ecb9ab4813d5b1eaf761862a3de6d83026ace97dc313fe
                                      • Instruction Fuzzy Hash: 1D21E4B5D002499FDB10CF9AD984BDEBBF8FB48320F14842AE914A3310D378A944CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0640E108, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0640E08A), ref: 0640E177
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1013008218.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                      Similarity
                                      • API ID: GlobalMemoryStatus
                                      • String ID:
                                      • API String ID: 1890195054-0
                                      • Opcode ID: 2784fc85957cf17c4de5dcb35fa302e201d349b28707c1f6749b99d33ca17c67
                                      • Instruction ID: b7d8ddd8d53f031c4373ca4540c58adbda4f5ae63d381c3600bc1c4d1869ac77
                                      • Opcode Fuzzy Hash: 2784fc85957cf17c4de5dcb35fa302e201d349b28707c1f6749b99d33ca17c67
                                      • Instruction Fuzzy Hash: 242133B1C006699FDB10CFAAD844BDEFBB8AF48320F15852AE414B7240D378A955CFE1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 013365F4, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,01337819,00000800), ref: 013378AA
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1009225416.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 2a2384639d715dc24668691e437db2d89e49b060e01666753e9020cebfd76b76
                                      • Instruction ID: 3af3d139bde8e8988f0b0e03aed2cc6381532bc0a085e2ad3a0c13cdd1c1c1e0
                                      • Opcode Fuzzy Hash: 2a2384639d715dc24668691e437db2d89e49b060e01666753e9020cebfd76b76
                                      • Instruction Fuzzy Hash: 8E11E4B6D002499FDB14CF9AD844BDEFFF4EB88324F14842AE515A7600C374A945CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01337839, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,01337819,00000800), ref: 013378AA
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1009225416.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 89caaa4953613f60cc33fc6f4f064448e78fe9d6ebcd00f2310c51c7a533da6c
                                      • Instruction ID: 41808bd31fbd6937516ba4c8ccdafff6c4d251c64d8e95fc07b4c1ae1e457c08
                                      • Opcode Fuzzy Hash: 89caaa4953613f60cc33fc6f4f064448e78fe9d6ebcd00f2310c51c7a533da6c
                                      • Instruction Fuzzy Hash: 241114B6C002499FDB14CFAAD844BDEFFF4EB88324F14842AE555A7200C375A545CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0640CAE4, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0640E08A), ref: 0640E177
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1013008218.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                      Similarity
                                      • API ID: GlobalMemoryStatus
                                      • String ID:
                                      • API String ID: 1890195054-0
                                      • Opcode ID: 3cf61e460bd5a32a180b358cbd5d06b64de958fa0e5e81947b6b9e638a9601b7
                                      • Instruction ID: d38230ff79c3957d43cc49a4d89b9d1890f5854580be1fbb14f2a0e561f35b4e
                                      • Opcode Fuzzy Hash: 3cf61e460bd5a32a180b358cbd5d06b64de958fa0e5e81947b6b9e638a9601b7
                                      • Instruction Fuzzy Hash: 001142B1C006699BDB00CF9AC444BDEFBF4AF48224F15856AE918B7340D378A955CFE1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 053740A8, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 05374116
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1010787276.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: b0e6974296343f9aaf99c39480830366b48e9d340c53f3c1efe751716ee7fe47
                                      • Instruction ID: 03988c86a68c7118346d077cd11d59d7dc9005c14ff5e2623beca99ea691926e
                                      • Opcode Fuzzy Hash: b0e6974296343f9aaf99c39480830366b48e9d340c53f3c1efe751716ee7fe47
                                      • Instruction Fuzzy Hash: AE1133B6D002498BDB20DF9AC4447DEFBF4EB89324F15842AD459B7200D3B8A546CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0537C118, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlEncodePointer.NTDLL(00000000), ref: 0537C192
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1010787276.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false
                                      Similarity
                                      • API ID: EncodePointer
                                      • String ID:
                                      • API String ID: 2118026453-0
                                      • Opcode ID: 0f4522d3966c819ecbd7b9d71158640a81b963f9ecf24879ba8e6061aa90f0a3
                                      • Instruction ID: 8dd96f8671dfbf887f81772ffb5c234d97baa47609f599c0429c97d95d34b63d
                                      • Opcode Fuzzy Hash: 0f4522d3966c819ecbd7b9d71158640a81b963f9ecf24879ba8e6061aa90f0a3
                                      • Instruction Fuzzy Hash: 471159B0D007498FDB20DFA9CA497DEBBF4FB45324F24942AD405A3641CB796944CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 05373300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 05374116
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1010787276.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 72974324ebace642daecb9258c3bcb53fb8efe8ce6c2fde5f357ee0ae6b9b925
                                      • Instruction ID: f4737c2ec0fca359d0220ee3a9a197b96712680b19a00cc6904649f56d27b596
                                      • Opcode Fuzzy Hash: 72974324ebace642daecb9258c3bcb53fb8efe8ce6c2fde5f357ee0ae6b9b925
                                      • Instruction Fuzzy Hash: 631104B5D047498FDB20DF9AC444BDEFBF5EB88224F15842AD419B7600D378A545CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0133B2F8, Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OleInitialize.OLE32(00000000), ref: 0133B355
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1009225416.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                      Similarity
                                      • API ID: Initialize
                                      • String ID:
                                      • API String ID: 2538663250-0
                                      • Opcode ID: 0a7caef2a3eb2964d1050824106daa08f37294d10ce3d76465ff69570705ca82
                                      • Instruction ID: c575481a6bae21baad21c3b6c8025448caa71fbf8b0808419f1e56c15b5630dd
                                      • Opcode Fuzzy Hash: 0a7caef2a3eb2964d1050824106daa08f37294d10ce3d76465ff69570705ca82
                                      • Instruction Fuzzy Hash: FF1122B5900649CFDB10CF9AC489BCFFBF8EB88224F14841AD518A3600C338A944CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0133A3E8, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OleInitialize.OLE32(00000000), ref: 0133B355
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1009225416.0000000001330000.00000040.00000001.sdmp, Offset: 01330000, based on PE: false
                                      Similarity
                                      • API ID: Initialize
                                      • String ID:
                                      • API String ID: 2538663250-0
                                      • Opcode ID: a10c64a903fe40b123937d2bfcdde38a8ca4c9db9d24d704813861fbdcbfa5c7
                                      • Instruction ID: efd1f4ec8fd8ea006c0836fbf3d1ad0e5e1de60ff9d3d4012119d915695d1a86
                                      • Opcode Fuzzy Hash: a10c64a903fe40b123937d2bfcdde38a8ca4c9db9d24d704813861fbdcbfa5c7
                                      • Instruction Fuzzy Hash: E11133B4800658CFDB10CF9AC488BDEFBF8EB88224F14841AD919A3300C378A944CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 014DD274, Relevance: .1, Instructions: 76COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1009347367.00000000014DD000.00000040.00000001.sdmp, Offset: 014DD000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4ebd4dff409db78762890215b345e06086f6f28f5a10d4c3c25a742b5e0fafbe
                                      • Instruction ID: df9dcee23556069ebc53e0edc519e9a697d804b12060281ec6ccc192ced31557
                                      • Opcode Fuzzy Hash: 4ebd4dff409db78762890215b345e06086f6f28f5a10d4c3c25a742b5e0fafbe
                                      • Instruction Fuzzy Hash: 0B212871904240EFDF05CF94D9D0B2BBB65FB88324F24C66AE9054B296C736D816CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 014DD450, Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1009347367.00000000014DD000.00000040.00000001.sdmp, Offset: 014DD000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 086bdc1279b5134c9babcbb08c935d0bdc0d8509922a4663facfb84756eecf06
                                      • Instruction ID: 6dc3321904b634477135c379a4c04ca41d61ce689cf6c955864915c8d963c463
                                      • Opcode Fuzzy Hash: 086bdc1279b5134c9babcbb08c935d0bdc0d8509922a4663facfb84756eecf06
                                      • Instruction Fuzzy Hash: 372124B1904240EFDF01DF54D9D0B67BF65FB84324F24866AD9054B296C336E816CAA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 014ED01C, Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1009373366.00000000014ED000.00000040.00000001.sdmp, Offset: 014ED000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2e721f1b0b65de76af9fca292a4735224265731d5f30d334daf87ac436f51e72
                                      • Instruction ID: 690ea3224283663b6a69e53a469250e1c1ed5b0a6d3c55308eb3a4584603ddf4
                                      • Opcode Fuzzy Hash: 2e721f1b0b65de76af9fca292a4735224265731d5f30d334daf87ac436f51e72
                                      • Instruction Fuzzy Hash: CF2137B1904240DFDB15CF54D8C8B26BFA5FB84359F28CA6AD9494B356C336D807CA61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 014ED006, Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1009373366.00000000014ED000.00000040.00000001.sdmp, Offset: 014ED000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e4972763c50c2834ceaf555ef98b3e7f85efb463561261a23e69c7d26f58a6d7
                                      • Instruction ID: e5bebcd984f8af472b0070d324d3ce3ca07dd6a81b5407a0173a505d9c753b90
                                      • Opcode Fuzzy Hash: e4972763c50c2834ceaf555ef98b3e7f85efb463561261a23e69c7d26f58a6d7
                                      • Instruction Fuzzy Hash: 532192755093808FDB03CF24D994716BFB1EF46214F28C5DBD8498B667C33A980ACB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 014DD26F, Relevance: .1, Instructions: 57COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1009347367.00000000014DD000.00000040.00000001.sdmp, Offset: 014DD000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 036465fe5e54c15c5947acaccae627ac078cd2d7162af116298a92938776bd5d
                                      • Instruction ID: 036778f3bcffc31e76b540f37bacd8eee1e8a02fb795013c04858aec56c4889a
                                      • Opcode Fuzzy Hash: 036465fe5e54c15c5947acaccae627ac078cd2d7162af116298a92938776bd5d
                                      • Instruction Fuzzy Hash: 2921AF76804280DFDF16CF54D9D4B1ABF71FB88314F28C2AAD8444B666C33AD466CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 014DD44B, Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1009347367.00000000014DD000.00000040.00000001.sdmp, Offset: 014DD000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
                                      • Instruction ID: cbce0aa40823bbfa95a74c93e484feae6d68b90954ccd802c2d92fa51b10079a
                                      • Opcode Fuzzy Hash: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
                                      • Instruction Fuzzy Hash: D911B176904280DFDF16CF54D9D4B16BF71FB84324F2486AAD8050B667C33AD45ACBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions