Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Shipping Documents000000000000000000020.exe

Overview

General Information

Sample Name:Shipping Documents000000000000000000020.exe
Analysis ID:385348
MD5:88926051eb8f9a2ff4ab25ce7a0ad41a
SHA1:e67ecfbae026b6643e2efb7e22a0b209658d943a
SHA256:40295912aeeb49a6c9cb45bf5981e80ed788de2984e6306ccfd8cbfdc6855c9c
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Shipping Documents000000000000000000020.exe (PID: 7028 cmdline: 'C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe' MD5: 88926051EB8F9A2FF4AB25CE7A0AD41A)
    • powershell.exe (PID: 5992 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "ab@noradobe.commax@#1235smtp.noradobe.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.908737908.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.684480154.0000000003C19000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.684611255.000000000441C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.Shipping Documents000000000000000000020.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Shipping Documents000000000000000000020.exe.452eed8.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.Shipping Documents000000000000000000020.exe.452eed8.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 5.2.Shipping Documents000000000000000000020.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "ab@noradobe.commax@#1235smtp.noradobe.com"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: Shipping Documents000000000000000000020.exeVirustotal: Detection: 31%Perma Link
                  Machine Learning detection for sampleShow sources
                  Source: Shipping Documents000000000000000000020.exeJoe Sandbox ML: detected
                  Source: 5.2.Shipping Documents000000000000000000020.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: Shipping Documents000000000000000000020.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: Shipping Documents000000000000000000020.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: System.Management.Automation.pdb Windows source: powershell.exe, 00000002.00000002.761718998.000000000076E000.00000004.00000020.sdmp

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49771 -> 208.91.199.224:587
                  Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmpString found in binary or memory: http://RsDqkEurDsEYEYdu6ifh.net
                  Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmpString found in binary or memory: http://RsDqkEurDsEYEYdu6ifh.netp
                  Source: powershell.exe, 00000002.00000003.752237664.00000000007B8000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: powershell.exe, 00000002.00000003.760649561.0000000008CC0000.00000004.00000001.sdmpString found in binary or memory: http://crl.micr
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmpString found in binary or memory: http://hhMcag.com
                  Source: powershell.exe, 00000002.00000003.752210718.00000000007A9000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.763313916.0000000004272000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.679109370.0000000002C67000.00000004.00000001.sdmp, Shipping Documents000000000000000000020.exe, 00000000.00000002.678238591.0000000002C11000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.762903505.0000000004131000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.679109370.0000000002C67000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
                  Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.911793482.0000000002E9F000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                  Source: Shipping Documents000000000000000000020.exeString found in binary or memory: http://weather.gc.ca/astro/seeing_e.html)
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: powershell.exe, 00000002.00000003.752210718.00000000007A9000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.763313916.0000000004272000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.651082600.00000000080FC000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigner
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.651217175.00000000080FC000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.651941330.00000000080FC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.652876433.00000000080FC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.652876433.00000000080FC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlX
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp, Shipping Documents000000000000000000020.exe, 00000000.00000003.652482542.00000000080FC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.648814135.000000000810B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.650057465.00000000080FF000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.650233295.00000000080F3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.655343399.00000000080FC000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm&
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.655343399.00000000080FC000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmb
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.649783713.00000000080FF000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krtn
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.651043701.00000000080FC000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com-r
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.651043701.00000000080FC000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com.
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.649783713.00000000080FF000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krP
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.649783713.00000000080FF000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krn-u
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.649783713.00000000080FF000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krrmal
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.649783713.00000000080FF000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kru-r5
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.649103390.000000000810B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com0
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.653487847.00000000080FC000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.653487847.00000000080FC000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de.r
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.653487847.00000000080FC000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dee
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000003.650368334.00000000080F3000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cneD
                  Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                  Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                  Source: powershell.exe, 00000002.00000003.752210718.00000000007A9000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.763313916.0000000004272000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000002.00000003.737966315.0000000004AE1000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
                  Source: powershell.exe, 00000002.00000002.761613549.00000000006F0000.00000004.00000020.sdmpString found in binary or memory: https://ion=v4.5
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684480154.0000000003C19000.00000004.00000001.sdmp, Shipping Documents000000000000000000020.exe, 00000005.00000002.908737908.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  Spam, unwanted Advertisements and Ransom Demands:

                  barindex
                  Modifies the hosts fileShow sources
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 5.2.Shipping Documents000000000000000000020.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b037AF53Eu002dBCFCu002d4C0Fu002dBE1Du002d31131A909FA4u007d/A7A768EAu002dCB92u002d4FAFu002d9F4Cu002d47F2075D610B.csLarge array initialization: .cctor: array initializer size 11974
                  Initial sample is a PE file and has a suspicious nameShow sources
                  Source: initial sampleStatic PE information: Filename: Shipping Documents000000000000000000020.exe
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 0_2_02AAD010
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 0_2_02AA3A88
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 0_2_02AA3A79
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 0_2_02AA3B50
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 0_2_0807D370
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 0_2_080A00CB
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 0_2_080A027D
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_008FD321
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_00D42D50
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_00D41FF0
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_00D4BBF0
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_00D42768
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_00D475E8
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_00D49AC3
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_00D50CA0
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_00D5F080
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_00D5AD30
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_00D55ED8
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_00D53F08
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_029947A0
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_02994790
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_02994753
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_0299D7B0
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_00D562F0
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.685157704.0000000004645000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs Shipping Documents000000000000000000020.exe
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.695864065.0000000011D70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Shipping Documents000000000000000000020.exe
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.695864065.0000000011D70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Shipping Documents000000000000000000020.exe
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.678238591.0000000002C11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs Shipping Documents000000000000000000020.exe
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000000.644586199.0000000000998000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIPermissionSetEntry.exeP vs Shipping Documents000000000000000000020.exe
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.695267930.0000000011C70000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Shipping Documents000000000000000000020.exe
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.693049376.0000000009770000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Shipping Documents000000000000000000020.exe
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.678948249.0000000002C59000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevdsWZZIMnNFFEXhbCRbjgqtZrPAuKaBxxOBNYQS.exe4 vs Shipping Documents000000000000000000020.exe
                  Source: Shipping Documents000000000000000000020.exe, 00000004.00000002.671324035.0000000000118000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIPermissionSetEntry.exeP vs Shipping Documents000000000000000000020.exe
                  Source: Shipping Documents000000000000000000020.exe, 00000005.00000000.672407506.0000000000828000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIPermissionSetEntry.exeP vs Shipping Documents000000000000000000020.exe
                  Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.908737908.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamevdsWZZIMnNFFEXhbCRbjgqtZrPAuKaBxxOBNYQS.exe4 vs Shipping Documents000000000000000000020.exe
                  Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.909925723.0000000000D60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Shipping Documents000000000000000000020.exe
                  Source: Shipping Documents000000000000000000020.exeBinary or memory string: OriginalFilenameIPermissionSetEntry.exeP vs Shipping Documents000000000000000000020.exe
                  Source: Shipping Documents000000000000000000020.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: Shipping Documents000000000000000000020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 5.2.Shipping Documents000000000000000000020.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 5.2.Shipping Documents000000000000000000020.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@8/7@0/0
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping Documents000000000000000000020.exe.logJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6232:120:WilError_01
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1e3l3n3j.fey.ps1Jump to behavior
                  Source: Shipping Documents000000000000000000020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: Shipping Documents000000000000000000020.exeVirustotal: Detection: 31%
                  Source: unknownProcess created: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe 'C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe'
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe'
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess created: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess created: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe'
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess created: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess created: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: Shipping Documents000000000000000000020.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Shipping Documents000000000000000000020.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: System.Management.Automation.pdb Windows source: powershell.exe, 00000002.00000002.761718998.000000000076E000.00000004.00000020.sdmp
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 0_2_008C2A15 push 00000035h; iretd
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 0_2_02AA70CC push edi; iretd
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 0_2_0807FA98 push 380808C3h; ret
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 0_2_0807FAA0 push esp; ret
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 0_2_08076F80 push eax; mov dword ptr [esp], ecx
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 0_2_0807137F push ecx; ret
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_008F12A1 push es; ret
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 4_2_00042A15 push 00000035h; iretd
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_00752A15 push 00000035h; iretd
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_00D47871 push ss; iretd
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_00D4BA50 pushfd ; retf
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_00D47A37 push edi; retn 0000h
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_00D44F59 push es; iretd
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_00FED95C push eax; ret
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeCode function: 5_2_00FEE28A push eax; ret
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.50975674252
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipping Documents000000000000000000020.exe PID: 7028, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4056
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2702
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeWindow / User API: threadDelayed 1436
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeWindow / User API: threadDelayed 8401
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe TID: 7032Thread sleep time: -101052s >= -30000s
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe TID: 7052Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe TID: 7164Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5536Thread sleep time: -1844674407370954s >= -30000s
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe TID: 5664Thread sleep time: -15679732462653109s >= -30000s
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe TID: 5592Thread sleep count: 1436 > 30
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe TID: 5592Thread sleep count: 8401 > 30
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeThread delayed: delay time: 101052
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeThread delayed: delay time: 922337203685477
                  Source: powershell.exe, 00000002.00000002.763313916.0000000004272000.00000004.00000001.sdmpBinary or memory string: k:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.693194635.0000000009840000.00000004.00000001.sdmpBinary or memory string: VMware
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.678948249.0000000002C59000.00000004.00000001.sdmpBinary or memory string: k%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.693194635.0000000009840000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareZA5VSKAZWin32_VideoControllerOEZ77T6UVideoController120060621000000.000000-0002167..14display.infMSBDAU2GWMKX7PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsGESZD_RK
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.910428362.0000000000F34000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: Shipping Documents000000000000000000020.exe, 00000000.00000002.678948249.0000000002C59000.00000004.00000001.sdmpBinary or memory string: k"SOFTWARE\VMware, Inc.\VMware Tools
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess token adjusted: Debug
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Adds a directory exclusion to Windows DefenderShow sources
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe'
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe'
                  Modifies the hosts fileShow sources
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe'
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess created: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeProcess created: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
                  Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.910928221.00000000014F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.910928221.00000000014F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.910928221.00000000014F0000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: Shipping Documents000000000000000000020.exe, 00000005.00000002.910928221.00000000014F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Lowering of HIPS / PFW / Operating System Security Settings:

                  barindex
                  Modifies the hosts fileShow sources
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000005.00000002.908737908.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.684480154.0000000003C19000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.684611255.000000000441C000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipping Documents000000000000000000020.exe PID: 5752, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipping Documents000000000000000000020.exe PID: 7028, type: MEMORY
                  Source: Yara matchFile source: 5.2.Shipping Documents000000000000000000020.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping Documents000000000000000000020.exe.452eed8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping Documents000000000000000000020.exe.452eed8.2.raw.unpack, type: UNPACKEDPE
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\Shipping Documents000000000000000000020.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: Yara matchFile source: 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipping Documents000000000000000000020.exe PID: 5752, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000005.00000002.908737908.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.684480154.0000000003C19000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.684611255.000000000441C000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipping Documents000000000000000000020.exe PID: 5752, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipping Documents000000000000000000020.exe PID: 7028, type: MEMORY
                  Source: Yara matchFile source: 5.2.Shipping Documents000000000000000000020.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping Documents000000000000000000020.exe.452eed8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping Documents000000000000000000020.exe.452eed8.2.raw.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation311Path InterceptionProcess Injection12Masquerading1OS Credential Dumping1Query Registry1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsFile and Directory Permissions Modification1LSASS MemorySecurity Software Discovery321Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools11Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion241NTDSVirtualization/Sandbox Evasion241Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection12LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncSystem Information Discovery113Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Shipping Documents000000000000000000020.exe31%VirustotalBrowse
                  Shipping Documents000000000000000000020.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  5.2.Shipping Documents000000000000000000020.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://hhMcag.com0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.tiro.com00%Avira URL Cloudsafe
                  http://www.zhongyicts.com.cneD0%Avira URL Cloudsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://weather.gc.ca/astro/seeing_e.html)0%Avira URL Cloudsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.krrmal0%Avira URL Cloudsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.fonts.comic0%URL Reputationsafe
                  http://www.fonts.comic0%URL Reputationsafe
                  http://www.fonts.comic0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htmb0%Avira URL Cloudsafe
                  http://www.sandoll.co.krP0%Avira URL Cloudsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                  http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                  http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.de0%URL Reputationsafe
                  http://www.urwpp.de0%URL Reputationsafe
                  http://www.urwpp.de0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://crl.micr0%URL Reputationsafe
                  http://crl.micr0%URL Reputationsafe
                  http://crl.micr0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://RsDqkEurDsEYEYdu6ifh.netp0%Avira URL Cloudsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://go.micro0%URL Reputationsafe
                  https://go.micro0%URL Reputationsafe
                  https://go.micro0%URL Reputationsafe
                  http://www.ascendercorp.com/typedesigner0%Avira URL Cloudsafe
                  http://RsDqkEurDsEYEYdu6ifh.net0%Avira URL Cloudsafe
                  https://api.ipify.org%$0%Avira URL Cloudsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.founder.com.cn/cn/0%URL Reputationsafe
                  http://www.founder.com.cn/cn/0%URL Reputationsafe
                  http://www.founder.com.cn/cn/0%URL Reputationsafe
                  http://www.sakkal.com.0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.sakkal.com-r0%Avira URL Cloudsafe
                  http://www.sandoll.co.kru-r50%Avira URL Cloudsafe
                  http://www.goodfont.co.krtn0%Avira URL Cloudsafe
                  https://ion=v4.50%Avira URL Cloudsafe
                  http://www.galapagosdesign.com/staff/dennis.htm&0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://127.0.0.1:HTTP/1.1Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://www.fontbureau.com/designersGShipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/?Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                      		high
                      http://hhMcag.comShipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.founder.com.cn/cn/bTheShipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://us2.smtp.mailhostbox.comShipping Documents000000000000000000020.exe, 00000005.00000002.911793482.0000000002E9F000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers?Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                          		high
                          http://www.tiro.com0Shipping Documents000000000000000000020.exe, 00000000.00000003.649103390.000000000810B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.zhongyicts.com.cneDShipping Documents000000000000000000020.exe, 00000000.00000003.650368334.00000000080F3000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4Shipping Documents000000000000000000020.exe, 00000000.00000002.679109370.0000000002C67000.00000004.00000001.sdmpfalse
                            		high
                            http://www.tiro.comShipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://weather.gc.ca/astro/seeing_e.html)Shipping Documents000000000000000000020.exefalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designersShipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                              		high
                              http://www.goodfont.co.krShipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.sandoll.co.krrmalShipping Documents000000000000000000020.exe, 00000000.00000003.649783713.00000000080FF000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssShipping Documents000000000000000000020.exe, 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmpfalse
                                		high
                                http://www.sajatypeworks.comShipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDShipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cTheShipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmShipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comShipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fonts.comicShipping Documents000000000000000000020.exe, 00000000.00000003.648814135.000000000810B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmbShipping Documents000000000000000000020.exe, 00000000.00000003.655343399.00000000080FC000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sandoll.co.krPShipping Documents000000000000000000020.exe, 00000000.00000003.649783713.00000000080FF000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseShipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://api.ipify.org%GETMozilla/5.0Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		low
                                http://www.ascendercorp.com/typedesigners.htmlShipping Documents000000000000000000020.exe, 00000000.00000003.651217175.00000000080FC000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fonts.comShipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krShipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deDPleaseShipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deShipping Documents000000000000000000020.exe, 00000000.00000003.653487847.00000000080FC000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnShipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://crl.micrpowershell.exe, 00000002.00000003.760649561.0000000008CC0000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameShipping Documents000000000000000000020.exe, 00000000.00000002.679109370.0000000002C67000.00000004.00000001.sdmp, Shipping Documents000000000000000000020.exe, 00000000.00000002.678238591.0000000002C11000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.762903505.0000000004131000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.sakkal.comShipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipShipping Documents000000000000000000020.exe, 00000000.00000002.684480154.0000000003C19000.00000004.00000001.sdmp, Shipping Documents000000000000000000020.exe, 00000005.00000002.908737908.0000000000402000.00000040.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.comShipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                                        		high
                                        http://DynDns.comDynDNSShipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000003.752210718.00000000007A9000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.763313916.0000000004272000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://RsDqkEurDsEYEYdu6ifh.netpShipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haShipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000003.752210718.00000000007A9000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.763313916.0000000004272000.00000004.00000001.sdmpfalse
                                          		high
                                          https://go.micropowershell.exe, 00000002.00000003.737966315.0000000004AE1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.ascendercorp.com/typedesignerShipping Documents000000000000000000020.exe, 00000000.00000003.651082600.00000000080FC000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://RsDqkEurDsEYEYdu6ifh.netShipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://github.com/Pester/Pesterpowershell.exe, 00000002.00000003.752210718.00000000007A9000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.763313916.0000000004272000.00000004.00000001.sdmpfalse
                                            		high
                                            https://api.ipify.org%$Shipping Documents000000000000000000020.exe, 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.carterandcone.comlShipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cn/Shipping Documents000000000000000000020.exe, 00000000.00000003.650233295.00000000080F3000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sakkal.com.Shipping Documents000000000000000000020.exe, 00000000.00000003.651043701.00000000080FC000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/cabarga.htmlNShipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cnShipping Documents000000000000000000020.exe, 00000000.00000003.650057465.00000000080FF000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.sakkal.com-rShipping Documents000000000000000000020.exe, 00000000.00000003.651043701.00000000080FC000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-user.htmlShipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmp, Shipping Documents000000000000000000020.exe, 00000000.00000003.652482542.00000000080FC000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.sandoll.co.kru-r5Shipping Documents000000000000000000020.exe, 00000000.00000003.649783713.00000000080FF000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.goodfont.co.krtnShipping Documents000000000000000000020.exe, 00000000.00000003.649783713.00000000080FF000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/cabarga.htmlShipping Documents000000000000000000020.exe, 00000000.00000003.652876433.00000000080FC000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://ion=v4.5powershell.exe, 00000002.00000002.761613549.00000000006F0000.00000004.00000020.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.galapagosdesign.com/staff/dennis.htm&Shipping Documents000000000000000000020.exe, 00000000.00000003.655343399.00000000080FC000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/cabarga.htmlXShipping Documents000000000000000000020.exe, 00000000.00000003.652876433.00000000080FC000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com/designers8Shipping Documents000000000000000000020.exe, 00000000.00000002.689148486.0000000008260000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.sandoll.co.krn-uShipping Documents000000000000000000020.exe, 00000000.00000003.649783713.00000000080FF000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/Shipping Documents000000000000000000020.exe, 00000000.00000003.651941330.00000000080FC000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.urwpp.de.rShipping Documents000000000000000000020.exe, 00000000.00000003.653487847.00000000080FC000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.urwpp.deeShipping Documents000000000000000000020.exe, 00000000.00000003.653487847.00000000080FC000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        Contacted IPs

                                                        No contacted IP infos

                                                        General Information

                                                        Joe Sandbox Version:31.0.0 Emerald
                                                        Analysis ID:385348
                                                        Start date:12.04.2021
                                                        Start time:11:09:05
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 10m 24s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:light
                                                        Sample file name:Shipping Documents000000000000000000020.exe
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                        Number of analysed new started processes analysed:18
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.troj.adwa.spyw.evad.winEXE@8/7@0/0
                                                        EGA Information:
                                                        • Successful, ratio: 75%
                                                        HDC Information:
                                                        • Successful, ratio: 1.7% (good quality ratio 1.2%)
                                                        • Quality average: 45%
                                                        • Quality standard deviation: 34.2%
                                                        HCA Information:
                                                        • Successful, ratio: 97%
                                                        • Number of executed functions: 0
                                                        • Number of non-executed functions: 0
                                                        Cookbook Comments:
                                                        • Adjust boot time
                                                        • Enable AMSI
                                                        • Found application associated with file extension: .exe
                                                        Warnings:
                                                        Show All
                                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                        • Execution Graph export aborted for target Shipping Documents000000000000000000020.exe, PID 816 because there are no executed function
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        11:10:01API Interceptor609x Sleep call for process: Shipping Documents000000000000000000020.exe modified
                                                        11:10:31API Interceptor30x Sleep call for process: powershell.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        No context

                                                        Domains

                                                        No context

                                                        ASN

                                                        No context

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping Documents000000000000000000020.exe.log
                                                        Process:C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1406
                                                        Entropy (8bit):5.341099307467139
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmER:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHg
                                                        MD5:69867B278D60059171E44B9D996D3934
                                                        SHA1:A3EA48217800614A1813EFAC9EF10DFD1436B5CA
                                                        SHA-256:F0BBFC5D53409EC9D7886DCF55E7D909AFD054B5C312624209D364F750ED5FEC
                                                        SHA-512:1539E7F2FA2BEADC006505C2F4FB6CCF065B31FE5E15CFC74C8578440C814B7BB1AADC2F77910F7E7CD85D0F0FABBC1AA57E4DDFEB148E9038C4D855E572C36E
                                                        Malicious:true
                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):14734
                                                        Entropy (8bit):4.996142136926143
                                                        Encrypted:false
                                                        SSDEEP:384:SEdVoGIpN6KQkj2Zkjh4iUxZvuiOOdBCNXp5nYoJib4J:SYV3IpNBQkj2Yh4iUxZvuiOOdBCNZlYO
                                                        MD5:B7D3A4EB1F0AED131A6E0EDF1D3C0414
                                                        SHA1:A72E0DDE5F3083632B7242D2407658BCA3E54F29
                                                        SHA-256:8E0EB5898DDF86FE9FE0011DD7AC6711BB0639A8707053D831FB348F9658289B
                                                        SHA-512:F9367BBEC9A44E5C08757576C56B9C8637D8A0A9D6220DE925255888E6A0A088C653E207E211A6796F6A7F469736D538EA5B9E094944316CF4E8189DDD3EED9D
                                                        Malicious:false
                                                        Preview: PSMODULECACHE.............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script................T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):20556
                                                        Entropy (8bit):5.578322063144952
                                                        Encrypted:false
                                                        SSDEEP:384:CtADeEURwGxx7UQwYeOYSBKnSultIiP7Q99ghSJUeRu1BMrmrZ9J1ldS:MLx7UIY4KSultdE8hXe1aG
                                                        MD5:892EBE5CEDC22F8692C84292998371E4
                                                        SHA1:FCE3038D2157031342A987867888DCE4D5F224A6
                                                        SHA-256:78886D96675465B2836F750523CD91FD8035C5147AD8F1048EB3D5D999D8737E
                                                        SHA-512:BD80DFC302922C24DF02F088FA42EA16460B26E2EBEBDC5332B1256FBB1F04FFA59E7DA74567E3C8C5A19ECC1AA74309BC6A1672542540977197F4DC8D8E2247
                                                        Malicious:false
                                                        Preview: @...e.....................E.....g.......'............@..........H...............<@.^.L."My...:<..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)b.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1e3l3n3j.fey.ps1
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview: 1
                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqrz2va4.wdb.psm1
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview: 1
                                                        C:\Users\user\Documents\20210412\PowerShell_transcript.980108.pF4zasZh.20210412111006.txt
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):3703
                                                        Entropy (8bit):5.274164731646126
                                                        Encrypted:false
                                                        SSDEEP:96:BZyj8NNqDo1Z2jZcj8NNqDo1Z8qhW0cW0cW0tZP:Pyyg
                                                        MD5:E5642136880E6A99ACE40163E854D870
                                                        SHA1:467D6F63C0CA1BF941707699996C2599DFB3C659
                                                        SHA-256:B288FF9F2B034C7D20DE245F523CD00047C60F40C04A31353D358BBA256A6937
                                                        SHA-512:3ABE21747D1ECDC5EC8197726A51A4382C2BAE3CD0F99270300B131913682CB96BD797197BF1266C810AC4958DFFC31554D74ED809C45D795B8920797A8E5617
                                                        Malicious:false
                                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210412111021..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 980108 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe..Process ID: 5992..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210412111021..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe..**********************..Command start time: 20210412111422..**********************..PS>TerminatingError(Add-MpPr
                                                        C:\Windows\System32\drivers\etc\hosts
                                                        Process:C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:modified
                                                        Size (bytes):11
                                                        Entropy (8bit):2.663532754804255
                                                        Encrypted:false
                                                        SSDEEP:3:iLE:iLE
                                                        MD5:B24D295C1F84ECBFB566103374FB91C5
                                                        SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                                                        SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                                                        SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                                                        Malicious:true
                                                        Preview: ..127.0.0.1

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.501743091602637
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Windows Screen Saver (13104/52) 0.07%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        File name:Shipping Documents000000000000000000020.exe
                                                        File size:872960
                                                        MD5:88926051eb8f9a2ff4ab25ce7a0ad41a
                                                        SHA1:e67ecfbae026b6643e2efb7e22a0b209658d943a
                                                        SHA256:40295912aeeb49a6c9cb45bf5981e80ed788de2984e6306ccfd8cbfdc6855c9c
                                                        SHA512:11651c034a9c7533c573359db6c8a312061824f37db033ba23bfc050f54e68768e37e92343613aedc9485964b5d2c25066b42c85d89bc5fddd930fe2509f2492
                                                        SSDEEP:12288:ig6kXAJ/2b2wJM0YoIVVT3qkZwQd4Ewym5oAA0K9oehaU+hDVD2UAdgGwUtMI6yh:0wAJUb0dPwyko+ONaU+hkd
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....us`..............P..F...........d... ........@.. ....................................@................................

                                                        File Icon

                                                        Icon Hash:00828e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x4d64ae
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                        Time Stamp:0x607375EE [Sun Apr 11 22:19:26 2021 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:v4.0.30319
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xd645c0x4f.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xd80000x800.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xda0000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000xd44b40xd4600False0.755054673705data7.50975674252IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xd80000x8000x800False0.34423828125data3.62173282807IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xda0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountry
                                                        RT_VERSION0xd80a00x3e8data
                                                        RT_MANIFEST0xd84880x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Version Infos

                                                        DescriptionData
                                                        Translation0x0000 0x04b0
                                                        LegalCopyrightCopyright CodeUnit 2007
                                                        Assembly Version2007.8.28.1
                                                        InternalNameIPermissionSetEntry.exe
                                                        FileVersion2007.08.28.1
                                                        CompanyNameCodeUnit
                                                        LegalTrademarks
                                                        CommentsImage Size Standardiser
                                                        ProductNameImage Size Standardiser
                                                        ProductVersion2007.08.28.1
                                                        FileDescriptionImage Size Standardiser
                                                        OriginalFilenameIPermissionSetEntry.exe

                                                        Network Behavior

                                                        No network behavior found

                                                        Code Manipulations

                                                        Statistics

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        Analysis Process: Shipping Documents000000000000000000020.exe PID: 7028 Parent PID: 5904

                                                        General

                                                        Start time:11:09:51
                                                        Start date:12/04/2021
                                                        Path:C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe'
                                                        Imagebase:0x8c0000
                                                        File size:872960 bytes
                                                        MD5 hash:88926051EB8F9A2FF4AB25CE7A0AD41A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.684480154.0000000003C19000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.684611255.000000000441C000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.684212701.0000000003063000.00000004.00000001.sdmp, Author: Joe Security
                                                        Reputation:low

                                                        Analysis Process: powershell.exe PID: 5992 Parent PID: 7028

                                                        General

                                                        Start time:11:10:03
                                                        Start date:12/04/2021
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe'
                                                        Imagebase:0x920000
                                                        File size:430592 bytes
                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET

                                                        Analysis Process: conhost.exe PID: 6232 Parent PID: 5992

                                                        General

                                                        Start time:11:10:03
                                                        Start date:12/04/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Analysis Process: Shipping Documents000000000000000000020.exe PID: 816 Parent PID: 7028

                                                        General

                                                        Start time:11:10:04
                                                        Start date:12/04/2021
                                                        Path:C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
                                                        Imagebase:0x40000
                                                        File size:872960 bytes
                                                        MD5 hash:88926051EB8F9A2FF4AB25CE7A0AD41A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Analysis Process: Shipping Documents000000000000000000020.exe PID: 5752 Parent PID: 7028

                                                        General

                                                        Start time:11:10:04
                                                        Start date:12/04/2021
                                                        Path:C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\Desktop\Shipping Documents000000000000000000020.exe
                                                        Imagebase:0x750000
                                                        File size:872960 bytes
                                                        MD5 hash:88926051EB8F9A2FF4AB25CE7A0AD41A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.908737908.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.911446110.0000000002B31000.00000004.00000001.sdmp, Author: Joe Security

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >