Windows Analysis Report Shipping Doc.exe

Overview

General Information

Sample Name: Shipping Doc.exe
Analysis ID: 458885
MD5: 159d560ff64cdb2d130b1635f4123a49
SHA1: 5762036dd01f8a63ce29557c5c0464360500c7e6
SHA256: 065252f5ed5475c89d2bff7389554a4695a85900a7a75eb98170c6a372b33ea0
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.shopjempress.com/amb6/"], "decoy": ["segurocars.com", "rylautosales.com", "xinglinjiankang.com", "dantil-brand.com", "sofaloffa.club", "coinclub2.com", "ez-pens.com", "gqtlqsw.com", "robotnewswire.com", "ktproductreviews.com", "merchbrander.com", "yesonamendmentb.com", "losgatoslimos.com", "kristincole.art", "metalmaids.online", "leftcoastmodels.com", "athetheist.com", "jblbusrtingsale.com", "chungcugiarehcm.com", "renblockchain.com", "bigdaddy.fish", "comproliverton.pro", "gzmove.com", "honeythymeherbfarm.com", "davinescosmetics.com", "9355693.com", "movinmemphis901.com", "patriotsrs.net", "dagelijkseschoenen.com", "a-want-ad.site", "theodbox.com", "audioky.net", "hopematthewsrealtor.com", "theonlinemoneymachine.com", "misakiti.com", "ad-yalong.com", "mikealazo.com", "marianoterra.com", "shivorja.com", "goodvibrationswindchimes.com", "pecom-deliverry.online", "amlexcel.com", "emeralddrumcompany.com", "dalipaella.com", "shopcamacci.com", "xucaiwujin.com", "bxs5000.com", "2en1institut.com", "zxzm47-wj.com", "builttek.com", "66400yy.com", "beegraze.com", "thedottedcat.com", "komsah.com", "4202nsacramentoav.info", "88q27.com", "toriengenharia.com", "briscoewelding.com", "brookelenzi.com", "tribaltrash.com", "bidtas.com", "shokhorror.com", "bodurm.com", "333.wiki"]}
Multi AV Scanner detection for submitted file
Source: Shipping Doc.exe Virustotal: Detection: 50% Perma Link
Source: Shipping Doc.exe Metadefender: Detection: 31% Perma Link
Source: Shipping Doc.exe ReversingLabs: Detection: 26%
Yara detected FormBook
Source: Yara match File source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY
Machine Learning detection for sample
Source: Shipping Doc.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 4.2.Shipping Doc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: Shipping Doc.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: Shipping Doc.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cscript.pdbUGP source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe, 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe
Source: Binary string: cscript.pdb source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4x nop then pop esi 4_2_00417164
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4x nop then pop ebx 4_2_00407AFB
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4x nop then pop edi 4_2_00416C9C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 4x nop then pop ebx 15_2_03207AFB
Source: C:\Windows\SysWOW64\cscript.exe Code function: 4x nop then pop esi 15_2_03217164
Source: C:\Windows\SysWOW64\cscript.exe Code function: 4x nop then pop edi 15_2_03216C9C

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.shopjempress.com/amb6/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhR HTTP/1.1Host: www.bigdaddy.fishConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /amb6/?DPt4=ZduBhxyNf/T8KdukIHnfIOdlFHQuF1EsUtpfZKs5gLBpa2z0TfcmffP3A+e7CMLv2uy0&l8B=RjAhR HTTP/1.1Host: www.davinescosmetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DREAMHOST-ASUS DREAMHOST-ASUS
Source: global traffic HTTP traffic detected: GET /amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhR HTTP/1.1Host: www.bigdaddy.fishConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /amb6/?DPt4=ZduBhxyNf/T8KdukIHnfIOdlFHQuF1EsUtpfZKs5gLBpa2z0TfcmffP3A+e7CMLv2uy0&l8B=RjAhR HTTP/1.1Host: www.davinescosmetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.bigdaddy.fish
Source: cscript.exe, 0000000F.00000002.483172630.0000000005E2F000.00000004.00000001.sdmp String found in binary or memory: http://BigDaddyUnlimited.com/amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC
Source: explorer.exe, 00000006.00000000.282041503.00000000089C0000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Shipping Doc.exe, 00000002.00000003.218505402.00000000057C6000.00000004.00000001.sdmp, Shipping Doc.exe, 00000002.00000003.218511303.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Shipping Doc.exe, 00000002.00000003.219138017.00000000057BE000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Shipping Doc.exe, 00000002.00000003.219469628.0000000005799000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comalsdn
Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comcomFU
Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comlicd
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: Shipping Doc.exe, 00000002.00000003.213525769.000000000579B000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comicV
Source: Shipping Doc.exe, 00000002.00000003.213474844.000000000579B000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comny
Source: Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Shipping Doc.exe, 00000002.00000003.216929499.0000000005786000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn&
Source: Shipping Doc.exe, 00000002.00000003.216788502.0000000005786000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn4
Source: Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn8
Source: Shipping Doc.exe, 00000002.00000003.216929499.0000000005786000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnP
Source: Shipping Doc.exe, 00000002.00000003.215912066.000000000578E000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnd
Source: Shipping Doc.exe, 00000002.00000003.215964486.0000000000E0D000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cny
Source: Shipping Doc.exe, 00000002.00000003.215964486.0000000000E0D000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnz
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Shipping Doc.exe, 00000002.00000003.222324750.0000000005792000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/0
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/8
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/;
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/B
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/U
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0a
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/argeg
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/d
Source: Shipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/en-u
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/en-ut
Source: Shipping Doc.exe, 00000002.00000003.218167835.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/fr-f
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/n
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/q
Source: Shipping Doc.exe, 00000002.00000003.218167835.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/siv
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/vam&
Source: Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.coma7
Source: Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.comiv
Source: Shipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmp, Shipping Doc.exe, 00000002.00000003.218511303.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: Shipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.comc
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: Shipping Doc.exe, 00000002.00000003.214716683.000000000579B000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comI
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_00419D60 NtCreateFile, 4_2_00419D60
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_00419E10 NtReadFile, 4_2_00419E10
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_00419E90 NtClose, 4_2_00419E90
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_00419F40 NtAllocateVirtualMemory, 4_2_00419F40
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_00419D5B NtCreateFile, 4_2_00419D5B
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_00419E8B NtClose, 4_2_00419E8B
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_00419F3A NtAllocateVirtualMemory, 4_2_00419F3A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 15_2_053D9910
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9540 NtReadFile,LdrInitializeThunk, 15_2_053D9540
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D99A0 NtCreateSection,LdrInitializeThunk, 15_2_053D99A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D95D0 NtClose,LdrInitializeThunk, 15_2_053D95D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9860 NtQuerySystemInformation,LdrInitializeThunk, 15_2_053D9860
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9840 NtDelayExecution,LdrInitializeThunk, 15_2_053D9840
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9710 NtQueryInformationToken,LdrInitializeThunk, 15_2_053D9710
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9780 NtMapViewOfSection,LdrInitializeThunk, 15_2_053D9780
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9FE0 NtCreateMutant,LdrInitializeThunk, 15_2_053D9FE0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9660 NtAllocateVirtualMemory,LdrInitializeThunk, 15_2_053D9660
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9650 NtQueryValueKey,LdrInitializeThunk, 15_2_053D9650
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9A50 NtCreateFile,LdrInitializeThunk, 15_2_053D9A50
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D96E0 NtFreeVirtualMemory,LdrInitializeThunk, 15_2_053D96E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D96D0 NtCreateKey,LdrInitializeThunk, 15_2_053D96D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053DAD30 NtSetContextThread, 15_2_053DAD30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9520 NtWaitForSingleObject, 15_2_053D9520
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9560 NtWriteFile, 15_2_053D9560
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9950 NtQueueApcThread, 15_2_053D9950
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D95F0 NtQueryInformationFile, 15_2_053D95F0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D99D0 NtCreateProcessEx, 15_2_053D99D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9820 NtEnumerateKey, 15_2_053D9820
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053DB040 NtSuspendThread, 15_2_053DB040
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D98A0 NtWriteVirtualMemory, 15_2_053D98A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D98F0 NtReadVirtualMemory, 15_2_053D98F0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9730 NtQueryVirtualMemory, 15_2_053D9730
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053DA710 NtOpenProcessToken, 15_2_053DA710
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9B00 NtSetValueKey, 15_2_053D9B00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9770 NtSetInformationFile, 15_2_053D9770
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053DA770 NtOpenThread, 15_2_053DA770
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9760 NtOpenProcess, 15_2_053D9760
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053DA3B0 NtGetContextThread, 15_2_053DA3B0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D97A0 NtUnmapViewOfSection, 15_2_053D97A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9A20 NtResumeThread, 15_2_053D9A20
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9610 NtEnumerateValueKey, 15_2_053D9610
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9A10 NtQuerySection, 15_2_053D9A10
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9A00 NtProtectVirtualMemory, 15_2_053D9A00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9670 NtQueryInformationProcess, 15_2_053D9670
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D9A80 NtOpenDirectoryObject, 15_2_053D9A80
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_03219F40 NtAllocateVirtualMemory, 15_2_03219F40
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_03219E10 NtReadFile, 15_2_03219E10
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_03219E90 NtClose, 15_2_03219E90
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_03219D60 NtCreateFile, 15_2_03219D60
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_03219F3A NtAllocateVirtualMemory, 15_2_03219F3A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_03219E8B NtClose, 15_2_03219E8B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_03219D5B NtCreateFile, 15_2_03219D5B
Detected potential crypto function
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_00401030 4_2_00401030
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_00417164 4_2_00417164
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_0041E1B3 4_2_0041E1B3
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_0041DAB4 4_2_0041DAB4
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_0041D360 4_2_0041D360
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_00402D87 4_2_00402D87
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_00402D90 4_2_00402D90
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_00409E40 4_2_00409E40
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_00402FB0 4_2_00402FB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05461D55 15_2_05461D55
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05390D20 15_2_05390D20
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053B4120 15_2_053B4120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0539F900 15_2_0539F900
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053AD5E0 15_2_053AD5E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A841F 15_2_053A841F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05451002 15_2_05451002
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053AB090 15_2_053AB090
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053CEBB0 15_2_053CEBB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053B6E30 15_2_053B6E30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0321DAB4 15_2_0321DAB4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_03217164 15_2_03217164
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0321E1B3 15_2_0321E1B3
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_03202FB0 15_2_03202FB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_03209E40 15_2_03209E40
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_03202D87 15_2_03202D87
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_03202D90 15_2_03202D90
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 0539B150 appears 32 times
Sample file is different than original file name gathered from version info
Source: Shipping Doc.exe, 00000002.00000000.210709159.00000000004B0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameRemotingSurroga.exe> vs Shipping Doc.exe
Source: Shipping Doc.exe, 00000004.00000002.320202534.0000000000F90000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameRemotingSurroga.exe> vs Shipping Doc.exe
Source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamecscript.exe` vs Shipping Doc.exe
Source: Shipping Doc.exe, 00000004.00000002.320852896.0000000001C0F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Shipping Doc.exe
Source: Shipping Doc.exe Binary or memory string: OriginalFilenameRemotingSurroga.exe> vs Shipping Doc.exe
Uses 32bit PE files
Source: Shipping Doc.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@2/2
Source: C:\Users\user\Desktop\Shipping Doc.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping Doc.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_01
Source: Shipping Doc.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Shipping Doc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Shipping Doc.exe Virustotal: Detection: 50%
Source: Shipping Doc.exe Metadefender: Detection: 31%
Source: Shipping Doc.exe ReversingLabs: Detection: 26%
Source: unknown Process created: C:\Users\user\Desktop\Shipping Doc.exe 'C:\Users\user\Desktop\Shipping Doc.exe'
Source: C:\Users\user\Desktop\Shipping Doc.exe Process created: C:\Users\user\Desktop\Shipping Doc.exe C:\Users\user\Desktop\Shipping Doc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Doc.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Shipping Doc.exe Process created: C:\Users\user\Desktop\Shipping Doc.exe C:\Users\user\Desktop\Shipping Doc.exe Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Doc.exe' Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Shipping Doc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Shipping Doc.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cscript.pdbUGP source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe, 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe
Source: Binary string: cscript.pdb source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Binary contains a suspicious time stamp
Source: Shipping Doc.exe Static PE information: 0xAAC44811 [Thu Oct 14 14:37:05 2060 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_00414A19 push ebp; ret 4_2_00414A1C
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_004046A7 push edx; ret 4_2_004046AC
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_0041CEB5 push eax; ret 4_2_0041CF08
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_0041CF6C push eax; ret 4_2_0041CF72
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_0041CF02 push eax; ret 4_2_0041CF08
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_0041CF0B push eax; ret 4_2_0041CF72
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_004167BF push ecx; iretd 4_2_004167C4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053ED0D1 push ecx; ret 15_2_053ED0E4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_03214A19 push ebp; ret 15_2_03214A1C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0321CF02 push eax; ret 15_2_0321CF08
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0321CF0B push eax; ret 15_2_0321CF72
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0321CF6C push eax; ret 15_2_0321CF72
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_032167BF push ecx; iretd 15_2_032167C4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_03214F99 pushfd ; retf 15_2_03214F9A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_032046A7 push edx; ret 15_2_032046AC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0321CEB5 push eax; ret 15_2_0321CF08
Source: initial sample Static PE information: section name: .text entropy: 7.2014231354
Source: Shipping Doc.exe, jtOONAqGyrOQ0u8Ixk/bpT4mwco1CD693b7CN.cs High entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'oPOobRO5Vf', 'xm0o4Sf5NR', 'iEhoUBHjQn', 'ijuoVsDDg2', 'MQ3opPNGI1', 'S3PoaRe2Zm', 'nWyo9cofXu'
Source: Shipping Doc.exe, RuGDW7WIWRL3vuqXmw/WrIPZ8OGPrQJVhLUng.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'rgxUTfEcE8', 'q8OZlL4Rke', 'x5iZK8bkZ8', 'G2oZhTFUiy', 'L68ZzSd862', 'V2KO3o6ooX', 'cAnOXHn0FW', 'wSEOMWMK2K'
Source: Shipping Doc.exe, hasvvCPjjpwAYaryty/EfFkrBZD9T3RSksP6r.cs High entropy of concatenated method names: 'Rj7pMjk0RG', 'yxxppukx53', '.ctor', 'uJxMm4pXjR', 'k9lMjtoI45', 'wSjM2XIjCC', 'gO5MrDyTRD', 'KrXMRRV4g5', 'uydM6uLlM6', 'YGpMTXkEhk'
Source: Shipping Doc.exe, QSqf1GDneX5foweMTs/gdXQIRHg06sMXH3Uxd.cs High entropy of concatenated method names: '.ctor', 'OFPUt83v9K', 'Dispose', 'mCOUJCTXYL', 'upBUseu0pH', 'HIXUhn1Ejd', 'I30U81QHfg', 'StGUGWc16P', 'X1iUOqmHqd', 'Ka0ZQEPwNI'
Source: Shipping Doc.exe, VfaCLA2tkrd397ihoB/buZV27SgYVJ8wKY7Z0.cs High entropy of concatenated method names: 'CMppZjWBMw', 'WSepPM9SAb', 'BJApjvbu0I', 'ReYpSqXGYT', 'hp3prsATrN', 'N3op30XIBP', 'YUZpyoUrkn', 'EV6p6ZDRrC', 'S0OpzLwnNq', 'uvNabGVwIQ'
Source: Shipping Doc.exe, UNAPpRk5a6XMif56PN/tbtYLjiE15X0m3NrV3.cs High entropy of concatenated method names: 'DownJlYGxJ', 'xuxnPXJrTV', 'w3mnbXLFql', 'fTqnDGgSIY', 'eINnmEc12d', 'nKXnd3ROy7', 'awc4e3Q42f', 'BhB4klsGCM', 'g6x4c5BQkZ', '.ctor'
Source: Shipping Doc.exe, UiJUy4BuRoHLOAKf06/xXY9csuTjhbcI1BP2L.cs High entropy of concatenated method names: '.ctor', 'Save', 'HAK5f06my', 'Load', 'HD3dcOlu8', 'L3tKrC2Wr', 'IdyxYvcVc', 'UiJGtlVLwBaQxjgBF6', 'PIkx4Wf1QZgiV6aU4i', 'Dmh9sciVAETbBXxfFa'
Source: Shipping Doc.exe, UOdyYvecVcmermsDhZ/RyGD3cgOlu803trC2W.cs High entropy of concatenated method names: '.ctor', 'RHvjJZq4E', 'p2nSuK03D', 'vRg006sMX', 'za8rj6Xgs', 'lcY3ZFXvZ', 'SuJyVgV3w', 'K5l6Xpqre', 'aboznP1OR', 'wKa4b4MTS2'
Source: Shipping Doc.exe, lfBAw24wG7RaGl4BUSW/LdIBF34ft0aEOrSOpS7.cs High entropy of concatenated method names: 'Dispose', 'ab0nKv0rYl', 'QfAnxS7FmM', 'KPJntrwakq', 'hrtnJqte2T', 'get_MinimumSize', 'set_MinimumSize', 'zaruECCxke', 'AUkuQwTOtd', 'kmkuL8FL2C'
Source: Shipping Doc.exe, xP7XZx4KUcy0rZpMq7p/C89e434dqTXWooX6OT2.cs High entropy of concatenated method names: 'e0riOZyeQf', 'PdXiWMlD76', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
Source: Shipping Doc.exe, wUV9j84txMqsOMB0RNC/O8br1u4x3ZTxpBM3GKp.cs High entropy of concatenated method names: '.ctor', 'MStqzWqX98', 'Bbn63OwGFH', 'BinijXg983', 'zWEiSMBU7I', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
Source: Shipping Doc.exe, m90oD71ZT6Wr9cSLC3/BCGZxMFmXU9h9JKBRA.cs High entropy of concatenated method names: '.ctor', 'd4MMkZMC3a', 'jwDMcNsXnd', 'Gp5MqvWKfg', 'SyIMHvh4nd', 'hUNMDI3IfP', 'mDWuCAUyBYn6ulPCLkn', 'glMALsU9egpF9gq6VvY', 'BPhg4AU0cm0xPgAcOUP', 'A1LpkmUKxjoeRJhgj5v'
Source: Shipping Doc.exe, sKgaUY4su4YTKa6GuYl/zgNK5N4JjGAZFgAu99M.cs High entropy of concatenated method names: '.ctor', 'UbQkbXvRlm', 'IODk4e1Qh2', 'csBkUTL3tc', 'khokVDYHrG', 'Gl8i6EIG8s', 'qyCiTn1nPR', 'FE7iz1aZDQ', 'gcBwMrofCMqEqIdiR6L', 'i3QNTaoieNlxFPGbQ4d'
Source: Shipping Doc.exe, I156H44Dv8rnIOySGfK/hltbY94HHwR3afLhEhf.cs High entropy of concatenated method names: '.ctor', 'aLPlf5n4CH', 'tIqlwf7H6m', 'tZJlo0KBRb', 'cpflU40tFN', 'wk5lV1CuJF', 'kyhlMnlNeC', 'xLolpUglD3', 'N0WlaMcuXO', 'XbElCFHsrk'
Source: Shipping Doc.exe, iTAtM84qSuFr2hs51c1/llm9gs4ch4IcMcmGnvJ.cs High entropy of concatenated method names: 'FIv9ZZdDqG', 'gQI9PDLDlN', 'q2H9mKTBvh', 'uM89jAIc2y', 'zL49SlfPPi', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
Source: Shipping Doc.exe, aiLmWw4VnJDnSPTNJVN/XYryxx4U6BmknteXNOa.cs High entropy of concatenated method names: '.ctor', 'ukj9woe4c6', 'Dfu9EiQsTa', 'NuW9A6sETI', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'MmH4btFKnt5dqxSDm2G', 'hZ9OUfFVGF3Eyyj8DxB'
Source: Shipping Doc.exe, BLop0K4E7l9d1bylJUy/zJBh6F4IacA7iyEpXZO.cs High entropy of concatenated method names: 'L5eBi4Qigv', 'ixEBkeoTbq', 'FFgBo4KGaE', 'BSVBUenW6x', 'agMBMj6JFC', 'G76Bp97jPo', 'NEABaXP8gi', 'mb7BCbn9q3', 'oorB9rEwKt', 'zx5BYqnub6'
Source: Shipping Doc.exe, vNeJVt4AWwbHEvjgGer/LdlLQ14Qf610ZIAPrJw.cs High entropy of concatenated method names: '.ctor', 'QppedwFCcs', 'qd6eKe7iLK', 'GI4etXfotQ', 'wxEeJ5n5Hk', 'get_Multiline', 'set_Multiline', 'fOLB0NPOGK', 'okIBFsEdfE', 'A7HB1qoYTX'
Source: Shipping Doc.exe, nKYoUB4oxKLGj4jvd63/aLgWyc44ofXur00lLx1.cs High entropy of concatenated method names: 'VsAaQxSlAF', 'D09aAvsZj4', 'LmhaLRSl8M', 'okva5IYOyq', 'HKUad6KvCc', 'CAuaKRAFBD', 'J6paxwfEfU', 'iLlatruy0f', 'YF3aJVd6Ly', 'dX9aspur2U'

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xE3
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Shipping Doc.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Shipping Doc.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe RDTSC instruction interceptor: First address: 00000000032098E4 second address: 00000000032098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe RDTSC instruction interceptor: First address: 0000000003209B5E second address: 0000000003209B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_00409A90 rdtsc 4_2_00409A90
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Shipping Doc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Shipping Doc.exe TID: 5516 Thread sleep time: -39781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe TID: 6132 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 3340 Thread sleep time: -38000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 1392 Thread sleep time: -45000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Shipping Doc.exe Thread delayed: delay time: 39781 Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000006.00000000.280370116.0000000008640000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.279908328.0000000008220000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000006.00000000.273037707.00000000055D0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000006.00000000.280812513.00000000087D1000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000006.00000000.311184656.0000000005603000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000006.00000000.279908328.0000000008220000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000006.00000000.279908328.0000000008220000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000006.00000000.279908328.0000000008220000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Shipping Doc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Shipping Doc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_00409A90 rdtsc 4_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Shipping Doc.exe Code function: 4_2_0040ACD0 LdrLoadDll, 4_2_0040ACD0
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05413540 mov eax, dword ptr fs:[00000030h] 15_2_05413540
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C513A mov eax, dword ptr fs:[00000030h] 15_2_053C513A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C513A mov eax, dword ptr fs:[00000030h] 15_2_053C513A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C4D3B mov eax, dword ptr fs:[00000030h] 15_2_053C4D3B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C4D3B mov eax, dword ptr fs:[00000030h] 15_2_053C4D3B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C4D3B mov eax, dword ptr fs:[00000030h] 15_2_053C4D3B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0539AD30 mov eax, dword ptr fs:[00000030h] 15_2_0539AD30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h] 15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h] 15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h] 15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h] 15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h] 15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h] 15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h] 15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h] 15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h] 15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h] 15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h] 15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h] 15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h] 15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053B4120 mov eax, dword ptr fs:[00000030h] 15_2_053B4120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053B4120 mov eax, dword ptr fs:[00000030h] 15_2_053B4120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053B4120 mov eax, dword ptr fs:[00000030h] 15_2_053B4120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053B4120 mov eax, dword ptr fs:[00000030h] 15_2_053B4120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053B4120 mov ecx, dword ptr fs:[00000030h] 15_2_053B4120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05399100 mov eax, dword ptr fs:[00000030h] 15_2_05399100
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05399100 mov eax, dword ptr fs:[00000030h] 15_2_05399100
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05399100 mov eax, dword ptr fs:[00000030h] 15_2_05399100
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0539B171 mov eax, dword ptr fs:[00000030h] 15_2_0539B171
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0539B171 mov eax, dword ptr fs:[00000030h] 15_2_0539B171
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053BC577 mov eax, dword ptr fs:[00000030h] 15_2_053BC577
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053BC577 mov eax, dword ptr fs:[00000030h] 15_2_053BC577
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0539C962 mov eax, dword ptr fs:[00000030h] 15_2_0539C962
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053B7D50 mov eax, dword ptr fs:[00000030h] 15_2_053B7D50
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05468D34 mov eax, dword ptr fs:[00000030h] 15_2_05468D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0541A537 mov eax, dword ptr fs:[00000030h] 15_2_0541A537
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D3D43 mov eax, dword ptr fs:[00000030h] 15_2_053D3D43
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053BB944 mov eax, dword ptr fs:[00000030h] 15_2_053BB944
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053BB944 mov eax, dword ptr fs:[00000030h] 15_2_053BB944
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C1DB5 mov eax, dword ptr fs:[00000030h] 15_2_053C1DB5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C1DB5 mov eax, dword ptr fs:[00000030h] 15_2_053C1DB5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C1DB5 mov eax, dword ptr fs:[00000030h] 15_2_053C1DB5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C61A0 mov eax, dword ptr fs:[00000030h] 15_2_053C61A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C61A0 mov eax, dword ptr fs:[00000030h] 15_2_053C61A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C35A1 mov eax, dword ptr fs:[00000030h] 15_2_053C35A1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053CFD9B mov eax, dword ptr fs:[00000030h] 15_2_053CFD9B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053CFD9B mov eax, dword ptr fs:[00000030h] 15_2_053CFD9B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_054241E8 mov eax, dword ptr fs:[00000030h] 15_2_054241E8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05392D8A mov eax, dword ptr fs:[00000030h] 15_2_05392D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05392D8A mov eax, dword ptr fs:[00000030h] 15_2_05392D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05392D8A mov eax, dword ptr fs:[00000030h] 15_2_05392D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05392D8A mov eax, dword ptr fs:[00000030h] 15_2_05392D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05392D8A mov eax, dword ptr fs:[00000030h] 15_2_05392D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05448DF1 mov eax, dword ptr fs:[00000030h] 15_2_05448DF1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053CA185 mov eax, dword ptr fs:[00000030h] 15_2_053CA185
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053BC182 mov eax, dword ptr fs:[00000030h] 15_2_053BC182
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0539B1E1 mov eax, dword ptr fs:[00000030h] 15_2_0539B1E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0539B1E1 mov eax, dword ptr fs:[00000030h] 15_2_0539B1E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0539B1E1 mov eax, dword ptr fs:[00000030h] 15_2_0539B1E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053AD5E0 mov eax, dword ptr fs:[00000030h] 15_2_053AD5E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053AD5E0 mov eax, dword ptr fs:[00000030h] 15_2_053AD5E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_054169A6 mov eax, dword ptr fs:[00000030h] 15_2_054169A6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053AB02A mov eax, dword ptr fs:[00000030h] 15_2_053AB02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053AB02A mov eax, dword ptr fs:[00000030h] 15_2_053AB02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053AB02A mov eax, dword ptr fs:[00000030h] 15_2_053AB02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053AB02A mov eax, dword ptr fs:[00000030h] 15_2_053AB02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053CBC2C mov eax, dword ptr fs:[00000030h] 15_2_053CBC2C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0542C450 mov eax, dword ptr fs:[00000030h] 15_2_0542C450
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0542C450 mov eax, dword ptr fs:[00000030h] 15_2_0542C450
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05461074 mov eax, dword ptr fs:[00000030h] 15_2_05461074
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05452073 mov eax, dword ptr fs:[00000030h] 15_2_05452073
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h] 15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h] 15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h] 15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h] 15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h] 15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h] 15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h] 15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h] 15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h] 15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h] 15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h] 15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h] 15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h] 15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h] 15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0546740D mov eax, dword ptr fs:[00000030h] 15_2_0546740D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0546740D mov eax, dword ptr fs:[00000030h] 15_2_0546740D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0546740D mov eax, dword ptr fs:[00000030h] 15_2_0546740D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05416C0A mov eax, dword ptr fs:[00000030h] 15_2_05416C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05416C0A mov eax, dword ptr fs:[00000030h] 15_2_05416C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05416C0A mov eax, dword ptr fs:[00000030h] 15_2_05416C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05416C0A mov eax, dword ptr fs:[00000030h] 15_2_05416C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05464015 mov eax, dword ptr fs:[00000030h] 15_2_05464015
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05464015 mov eax, dword ptr fs:[00000030h] 15_2_05464015
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053B746D mov eax, dword ptr fs:[00000030h] 15_2_053B746D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05417016 mov eax, dword ptr fs:[00000030h] 15_2_05417016
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05417016 mov eax, dword ptr fs:[00000030h] 15_2_05417016
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05417016 mov eax, dword ptr fs:[00000030h] 15_2_05417016
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053B0050 mov eax, dword ptr fs:[00000030h] 15_2_053B0050
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053B0050 mov eax, dword ptr fs:[00000030h] 15_2_053B0050
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053CA44B mov eax, dword ptr fs:[00000030h] 15_2_053CA44B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053CF0BF mov ecx, dword ptr fs:[00000030h] 15_2_053CF0BF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053CF0BF mov eax, dword ptr fs:[00000030h] 15_2_053CF0BF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053CF0BF mov eax, dword ptr fs:[00000030h] 15_2_053CF0BF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05468CD6 mov eax, dword ptr fs:[00000030h] 15_2_05468CD6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D90AF mov eax, dword ptr fs:[00000030h] 15_2_053D90AF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0542B8D0 mov eax, dword ptr fs:[00000030h] 15_2_0542B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0542B8D0 mov ecx, dword ptr fs:[00000030h] 15_2_0542B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0542B8D0 mov eax, dword ptr fs:[00000030h] 15_2_0542B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0542B8D0 mov eax, dword ptr fs:[00000030h] 15_2_0542B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0542B8D0 mov eax, dword ptr fs:[00000030h] 15_2_0542B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0542B8D0 mov eax, dword ptr fs:[00000030h] 15_2_0542B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A849B mov eax, dword ptr fs:[00000030h] 15_2_053A849B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05416CF0 mov eax, dword ptr fs:[00000030h] 15_2_05416CF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05416CF0 mov eax, dword ptr fs:[00000030h] 15_2_05416CF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05416CF0 mov eax, dword ptr fs:[00000030h] 15_2_05416CF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05399080 mov eax, dword ptr fs:[00000030h] 15_2_05399080
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_054514FB mov eax, dword ptr fs:[00000030h] 15_2_054514FB
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05413884 mov eax, dword ptr fs:[00000030h] 15_2_05413884
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05413884 mov eax, dword ptr fs:[00000030h] 15_2_05413884
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053CE730 mov eax, dword ptr fs:[00000030h] 15_2_053CE730
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05394F2E mov eax, dword ptr fs:[00000030h] 15_2_05394F2E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05394F2E mov eax, dword ptr fs:[00000030h] 15_2_05394F2E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05468B58 mov eax, dword ptr fs:[00000030h] 15_2_05468B58
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05468F6A mov eax, dword ptr fs:[00000030h] 15_2_05468F6A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053BF716 mov eax, dword ptr fs:[00000030h] 15_2_053BF716
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053CA70E mov eax, dword ptr fs:[00000030h] 15_2_053CA70E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053CA70E mov eax, dword ptr fs:[00000030h] 15_2_053CA70E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C3B7A mov eax, dword ptr fs:[00000030h] 15_2_053C3B7A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C3B7A mov eax, dword ptr fs:[00000030h] 15_2_053C3B7A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0546070D mov eax, dword ptr fs:[00000030h] 15_2_0546070D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0546070D mov eax, dword ptr fs:[00000030h] 15_2_0546070D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0542FF10 mov eax, dword ptr fs:[00000030h] 15_2_0542FF10
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0542FF10 mov eax, dword ptr fs:[00000030h] 15_2_0542FF10
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0539DB60 mov ecx, dword ptr fs:[00000030h] 15_2_0539DB60
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053AFF60 mov eax, dword ptr fs:[00000030h] 15_2_053AFF60
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0545131B mov eax, dword ptr fs:[00000030h] 15_2_0545131B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0539F358 mov eax, dword ptr fs:[00000030h] 15_2_0539F358
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0539DB40 mov eax, dword ptr fs:[00000030h] 15_2_0539DB40
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053AEF40 mov eax, dword ptr fs:[00000030h] 15_2_053AEF40
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053CB390 mov eax, dword ptr fs:[00000030h] 15_2_053CB390
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A8794 mov eax, dword ptr fs:[00000030h] 15_2_053A8794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A1B8F mov eax, dword ptr fs:[00000030h] 15_2_053A1B8F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A1B8F mov eax, dword ptr fs:[00000030h] 15_2_053A1B8F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0544D380 mov ecx, dword ptr fs:[00000030h] 15_2_0544D380
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D37F5 mov eax, dword ptr fs:[00000030h] 15_2_053D37F5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0545138A mov eax, dword ptr fs:[00000030h] 15_2_0545138A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05417794 mov eax, dword ptr fs:[00000030h] 15_2_05417794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05417794 mov eax, dword ptr fs:[00000030h] 15_2_05417794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05417794 mov eax, dword ptr fs:[00000030h] 15_2_05417794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C03E2 mov eax, dword ptr fs:[00000030h] 15_2_053C03E2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C03E2 mov eax, dword ptr fs:[00000030h] 15_2_053C03E2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C03E2 mov eax, dword ptr fs:[00000030h] 15_2_053C03E2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C03E2 mov eax, dword ptr fs:[00000030h] 15_2_053C03E2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C03E2 mov eax, dword ptr fs:[00000030h] 15_2_053C03E2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C03E2 mov eax, dword ptr fs:[00000030h] 15_2_053C03E2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05465BA5 mov eax, dword ptr fs:[00000030h] 15_2_05465BA5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05424257 mov eax, dword ptr fs:[00000030h] 15_2_05424257
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0539E620 mov eax, dword ptr fs:[00000030h] 15_2_0539E620
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053CA61C mov eax, dword ptr fs:[00000030h] 15_2_053CA61C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053CA61C mov eax, dword ptr fs:[00000030h] 15_2_053CA61C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0544B260 mov eax, dword ptr fs:[00000030h] 15_2_0544B260
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0544B260 mov eax, dword ptr fs:[00000030h] 15_2_0544B260
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05468A62 mov eax, dword ptr fs:[00000030h] 15_2_05468A62
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053B3A1C mov eax, dword ptr fs:[00000030h] 15_2_053B3A1C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0539AA16 mov eax, dword ptr fs:[00000030h] 15_2_0539AA16
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0539AA16 mov eax, dword ptr fs:[00000030h] 15_2_0539AA16
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A8A0A mov eax, dword ptr fs:[00000030h] 15_2_053A8A0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0539C600 mov eax, dword ptr fs:[00000030h] 15_2_0539C600
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0539C600 mov eax, dword ptr fs:[00000030h] 15_2_0539C600
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0539C600 mov eax, dword ptr fs:[00000030h] 15_2_0539C600
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C8E00 mov eax, dword ptr fs:[00000030h] 15_2_053C8E00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D927A mov eax, dword ptr fs:[00000030h] 15_2_053D927A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053BAE73 mov eax, dword ptr fs:[00000030h] 15_2_053BAE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053BAE73 mov eax, dword ptr fs:[00000030h] 15_2_053BAE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053BAE73 mov eax, dword ptr fs:[00000030h] 15_2_053BAE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053BAE73 mov eax, dword ptr fs:[00000030h] 15_2_053BAE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053BAE73 mov eax, dword ptr fs:[00000030h] 15_2_053BAE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A766D mov eax, dword ptr fs:[00000030h] 15_2_053A766D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05399240 mov eax, dword ptr fs:[00000030h] 15_2_05399240
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05399240 mov eax, dword ptr fs:[00000030h] 15_2_05399240
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05399240 mov eax, dword ptr fs:[00000030h] 15_2_05399240
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05399240 mov eax, dword ptr fs:[00000030h] 15_2_05399240
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0544FE3F mov eax, dword ptr fs:[00000030h] 15_2_0544FE3F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A7E41 mov eax, dword ptr fs:[00000030h] 15_2_053A7E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A7E41 mov eax, dword ptr fs:[00000030h] 15_2_053A7E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A7E41 mov eax, dword ptr fs:[00000030h] 15_2_053A7E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A7E41 mov eax, dword ptr fs:[00000030h] 15_2_053A7E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A7E41 mov eax, dword ptr fs:[00000030h] 15_2_053A7E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A7E41 mov eax, dword ptr fs:[00000030h] 15_2_053A7E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0544FEC0 mov eax, dword ptr fs:[00000030h] 15_2_0544FEC0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053AAAB0 mov eax, dword ptr fs:[00000030h] 15_2_053AAAB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053AAAB0 mov eax, dword ptr fs:[00000030h] 15_2_053AAAB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053CFAB0 mov eax, dword ptr fs:[00000030h] 15_2_053CFAB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05468ED6 mov eax, dword ptr fs:[00000030h] 15_2_05468ED6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053952A5 mov eax, dword ptr fs:[00000030h] 15_2_053952A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053952A5 mov eax, dword ptr fs:[00000030h] 15_2_053952A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053952A5 mov eax, dword ptr fs:[00000030h] 15_2_053952A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053952A5 mov eax, dword ptr fs:[00000030h] 15_2_053952A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053952A5 mov eax, dword ptr fs:[00000030h] 15_2_053952A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053CD294 mov eax, dword ptr fs:[00000030h] 15_2_053CD294
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053CD294 mov eax, dword ptr fs:[00000030h] 15_2_053CD294
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_0542FE87 mov eax, dword ptr fs:[00000030h] 15_2_0542FE87
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053A76E2 mov eax, dword ptr fs:[00000030h] 15_2_053A76E2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C16E0 mov ecx, dword ptr fs:[00000030h] 15_2_053C16E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05460EA5 mov eax, dword ptr fs:[00000030h] 15_2_05460EA5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05460EA5 mov eax, dword ptr fs:[00000030h] 15_2_05460EA5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_05460EA5 mov eax, dword ptr fs:[00000030h] 15_2_05460EA5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_054146A7 mov eax, dword ptr fs:[00000030h] 15_2_054146A7
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053C36CC mov eax, dword ptr fs:[00000030h] 15_2_053C36CC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 15_2_053D8EC7 mov eax, dword ptr fs:[00000030h] 15_2_053D8EC7
Enables debug privileges
Source: C:\Users\user\Desktop\Shipping Doc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.davinescosmetics.com
Source: C:\Windows\explorer.exe Domain query: www.bigdaddy.fish
Source: C:\Windows\explorer.exe Network Connect: 208.113.204.236 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Shipping Doc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Shipping Doc.exe Thread register set: target process: 3388 Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Thread register set: target process: 3388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\Shipping Doc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Shipping Doc.exe Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: DE0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Shipping Doc.exe Process created: C:\Users\user\Desktop\Shipping Doc.exe C:\Users\user\Desktop\Shipping Doc.exe Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Doc.exe' Jump to behavior
Source: explorer.exe, 00000006.00000000.262269287.0000000001398000.00000004.00000020.sdmp Binary or memory string: ProgmanamF
Source: explorer.exe, 00000006.00000000.262650603.0000000001980000.00000002.00000001.sdmp, cscript.exe, 0000000F.00000002.479722473.0000000003C20000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmp, cscript.exe, 0000000F.00000002.479722473.0000000003C20000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.262650603.0000000001980000.00000002.00000001.sdmp, cscript.exe, 0000000F.00000002.479722473.0000000003C20000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.262650603.0000000001980000.00000002.00000001.sdmp, cscript.exe, 0000000F.00000002.479722473.0000000003C20000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Users\user\Desktop\Shipping Doc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior