Windows Analysis Report
shipping docs.exe

AV Detection

Source: shipping docs.exe	ReversingLabs: Detection: 73%
Source: shipping docs.exe	Virustotal: Detection: 47%			Perma Link

Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	ReversingLabs: Detection: 73%

Source: shipping docs.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Joe Sandbox ML: detected

Source: 3.0.shipping docs.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 3.0.shipping docs.exe.400000.0.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendMessage?chat_id=1644584536"}
Source: shipping docs.exe.3776.3.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendMessage"}

Compliance

Source: shipping docs.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49701 version: TLS 1.2

Source: shipping docs.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49699 -> 149.154.167.220:443
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49700 -> 149.154.167.220:443
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49701 -> 149.154.167.220:443

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: POST /bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad24f67b2ac65Host: api.telegram.orgContent-Length: 1006Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad24f8bdcd188Host: api.telegram.orgContent-Length: 1006Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad24f9334eaaaHost: api.telegram.orgContent-Length: 1006Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: shipping docs.exe, 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://Unbjpy.com
Source: shipping docs.exe, 00000003.00000002.534617829.000000000334B000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537871887.00000000034AF000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534906198.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: shipping docs.exe, 00000003.00000002.514223306.0000000001202000.00000004.00000020.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.515645091.0000000001361000.00000004.00000020.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.512897668.0000000001029000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: shipping docs.exe, 00000000.00000003.239628147.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240423951.000000000548B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: shipping docs.exe, 00000000.00000002.265489624.0000000002481000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000003.00000002.534292549.0000000003336000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000004.00000002.364468167.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 0000000F.00000002.373989607.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537543749.000000000349A000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534577687.00000000031EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: shipping docs.exe, 00000000.00000003.242487064.0000000005480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.245303030.0000000005479000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.245545950.000000000547D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: shipping docs.exe, 00000000.00000003.245303030.0000000005479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers-
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: shipping docs.exe, 00000000.00000003.264268952.0000000005470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comgrita
Source: shipping docs.exe, 00000000.00000003.264268952.0000000005470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240126460.000000000548B000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240159233.000000000548B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: shipping docs.exe, 00000000.00000003.240136652.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240113755.0000000005493000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com8
Source: shipping docs.exe, 00000000.00000003.240136652.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comtteJ
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.241799498.00000000054AD000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.241823423.0000000005474000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.242049495.0000000005479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: shipping docs.exe, 00000000.00000003.241799498.00000000054AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn%
Source: shipping docs.exe, 00000000.00000003.242044098.0000000005474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: shipping docs.exe, 00000000.00000003.241823423.0000000005474000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.242158018.000000000547B000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.242049495.0000000005479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnlJ
Source: shipping docs.exe, 00000000.00000003.241799498.00000000054AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnu-h
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/$
Source: shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/=
Source: shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y
Source: shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/O
Source: shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ko
Source: shipping docs.exe, 00000000.00000003.239908062.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240179699.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240220486.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239881609.0000000005491000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240113755.0000000005493000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.s.$
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240049534.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239908062.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240150934.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240179699.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240220486.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239973997.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240136652.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239881609.0000000005491000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239942097.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240113755.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240076834.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: shipping docs.exe, 00000000.00000003.239908062.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240179699.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240220486.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239881609.0000000005491000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240113755.0000000005493000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comteP$
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: shipping docs.exe, 00000000.00000003.241289310.0000000005479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krT
Source: shipping docs.exe, 00000000.00000003.241289310.0000000005479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krigh
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240459510.000000000548B000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240423951.000000000548B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: VMqTMMD.exe, 00000015.00000002.533512375.00000000031B2000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534481256.00000000031E8000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534906198.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://JIQ1JKgQReGyOBe.com
Source: shipping docs.exe, 00000003.00000002.534292549.0000000003336000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537543749.000000000349A000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534577687.00000000031EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: shipping docs.exe, 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/
Source: VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/1644584536%discordapi%yyy
Source: shipping docs.exe, 00000003.00000002.534292549.0000000003336000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537543749.000000000349A000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534577687.00000000031EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendDocument
Source: shipping docs.exe, 00000003.00000002.534292549.0000000003336000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537543749.000000000349A000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534577687.00000000031EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org4
Source: shipping docs.exe, 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

HTTP traffic detected: POST /bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad24f67b2ac65Host: api.telegram.orgContent-Length: 1006Expect: 100-continueConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.telegram.org

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49701 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: VMqTMMD.exe, 0000000E.00000002.340414070.00000000010F8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Source: 3.0.shipping docs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.shipping docs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.shipping docs.exe.35d2730.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.shipping docs.exe.35d2730.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.shipping docs.exe.35d2730.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.shipping docs.exe.35d2730.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000003.00000000.262419819.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: shipping docs.exe PID: 2400, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: shipping docs.exe PID: 3776, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

Source: 3.0.shipping docs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3C2C41D0u002d332Cu002d4962u002d9787u002d6AE70BED21B1u007d/u003373B1236u002d2AE2u002d49F0u002d9CFAu002dD6A6068282F0.cs

Large array initialization: .cctor: array initializer size 10969

Source: shipping docs.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 3.0.shipping docs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.shipping docs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.shipping docs.exe.35d2730.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.shipping docs.exe.35d2730.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.shipping docs.exe.35d2730.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.shipping docs.exe.35d2730.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000003.00000000.262419819.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: shipping docs.exe PID: 2400, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: shipping docs.exe PID: 3776, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: VMqTMMD.exe PID: 1280, type: MEMORYSTR	Matched rule: webshell_jsp_generic_base64 date = 2021/01/24, author = Arnim Rupp, description = Generic JSP webshell with base64 encoded payload, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 1b916afdd415dfa4e77cecf47321fd676ba2184d

Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_00B7E2D8		0_2_00B7E2D8
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_00B7E2C8		0_2_00B7E2C8
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_00B7BFC4		0_2_00B7BFC4
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04483635		0_2_04483635
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04480040		0_2_04480040
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_044813D0		0_2_044813D0
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04485C18		0_2_04485C18
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04481658		0_2_04481658
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04481668		0_2_04481668
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04486628		0_2_04486628
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04480800		0_2_04480800
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04480006		0_2_04480006
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04480810		0_2_04480810
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_044810A1		0_2_044810A1
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_044810B0		0_2_044810B0
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_044813C1		0_2_044813C1
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04A465B8		0_2_04A465B8
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04A465A9		0_2_04A465A9
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_02DFFA00		3_2_02DFFA00
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_02DF6C00		3_2_02DF6C00
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F7E1A		3_2_061F7E1A
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F8818		3_2_061F8818
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F0040		3_2_061F0040
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F0910		3_2_061F0910
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F29F8		3_2_061F29F8
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066F0040		3_2_066F0040
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066F1850		3_2_066F1850
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066F7010		3_2_066F7010
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066FA8B8		3_2_066FA8B8
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066F4168		3_2_066F4168
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066F89A0		3_2_066F89A0
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066F6FBD		3_2_066F6FBD
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066FCC28		3_2_066FCC28
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066F4018		3_2_066F4018
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_0684F240		3_2_0684F240
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_0684C7C8		3_2_0684C7C8

Source: shipping docs.exe, 00000000.00000002.265751138.00000000024F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs shipping docs.exe
Source: shipping docs.exe, 00000000.00000002.265489624.0000000002481000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8c0e5951-f0e7-4ebf-a643-3c2760ac7891.exe4 vs shipping docs.exe
Source: shipping docs.exe, 00000000.00000002.282085594.0000000006EF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs shipping docs.exe
Source: shipping docs.exe, 00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8c0e5951-f0e7-4ebf-a643-3c2760ac7891.exe4 vs shipping docs.exe
Source: shipping docs.exe, 00000000.00000000.236877884.00000000001D6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameV3VSkFfg.exe8 vs shipping docs.exe
Source: shipping docs.exe, 00000003.00000002.503928846.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs shipping docs.exe
Source: shipping docs.exe, 00000003.00000000.262634318.0000000000438000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8c0e5951-f0e7-4ebf-a643-3c2760ac7891.exe4 vs shipping docs.exe
Source: shipping docs.exe	Binary or memory string: OriginalFilenameV3VSkFfg.exe8 vs shipping docs.exe

Source: shipping docs.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: yVGAJfiVEvtg.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: VMqTMMD.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: shipping docs.exe	ReversingLabs: Detection: 73%
Source: shipping docs.exe	Virustotal: Detection: 47%

Source: C:\Users\user\Desktop\shipping docs.exe

File read: C:\Users\user\Desktop\shipping docs.exe

Jump to behavior

Source: shipping docs.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\shipping docs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\shipping docs.exe C:\Users\user\Desktop\shipping docs.exe
Source: C:\Users\user\Desktop\shipping docs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\shipping docs.exe	Process created: C:\Users\user\Desktop\shipping docs.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe "C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe "C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe"
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmpF5B7.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process created: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe {path}
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp3418.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process created: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe {path}
Source: C:\Users\user\Desktop\shipping docs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmp			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process created: C:\Users\user\Desktop\shipping docs.exe {path}			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmpF5B7.tmp			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process created: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe {path}			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp3418.tmp
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process created: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe {path}

Source: C:\Users\user\Desktop\shipping docs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\shipping docs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\shipping docs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\shipping docs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\shipping docs.exe

File created: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe

Jump to behavior

Source: C:\Users\user\Desktop\shipping docs.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7934.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/9@3/2

Source: C:\Users\user\Desktop\shipping docs.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: shipping docs.exe, 00000003.00000002.533196722.00000000032F7000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.536517685.000000000345B000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.533441099.00000000031AD000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: shipping docs.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\shipping docs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4404:120:WilError_01
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Mutant created: \Sessions\1\BaseNamedObjects\FlPBfsykXUODZXqmIBIomiteD
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5220:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_01

Source: 3.0.shipping docs.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.shipping docs.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\shipping docs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\shipping docs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\shipping docs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: shipping docs.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: shipping docs.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_02DF0007 push ecx; retf		3_2_02DF0042
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_02DF0430 push ecx; retf		3_2_02DF0446
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F3692 push es; iretd		3_2_061F3B3C
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F3701 push es; iretd		3_2_061F3B3C
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061FE767 push es; ret		3_2_061FE868
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F3448 push es; iretd		3_2_061F3B3C
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F34CF push es; iretd		3_2_061F3B3C
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F7CF0 push es; ret		3_2_061F7D00
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F353F push es; iretd		3_2_061F3B3C
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F35AD push es; iretd		3_2_061F3B3C
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F1910 push es; ret		3_2_061F1920
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066FA8B8 push cs; retn 066Fh		3_2_066FC819
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066F9FF8 pushfd ; retf 065Fh		3_2_066FA08D
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066FC8DE push es; retf		3_2_066FC928
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_06849AE1 push es; ret		3_2_06849AF0
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_06844387 push edi; retn 0000h		3_2_06844389

Source: initial sample	Static PE information: section name: .text entropy: 7.898839095668671
Source: initial sample	Static PE information: section name: .text entropy: 7.898839095668671
Source: initial sample	Static PE information: section name: .text entropy: 7.898839095668671

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\shipping docs.exe	File created: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe			Jump to dropped file
Source: C:\Users\user\Desktop\shipping docs.exe	File created: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe			Jump to dropped file

Boot Survival

Source: C:\Users\user\Desktop\shipping docs.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmp

Source: C:\Users\user\Desktop\shipping docs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run VMqTMMD			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run VMqTMMD			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\shipping docs.exe	File opened: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe:Zone.Identifier read attributes | delete			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	File opened: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: Yara match	File source: 0000000E.00000002.343723068.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.365709519.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipping docs.exe PID: 2400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yVGAJfiVEvtg.exe PID: 4552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VMqTMMD.exe PID: 1280, type: MEMORYSTR

Source: shipping docs.exe, 00000000.00000002.265489624.0000000002481000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000004.00000002.365709519.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 0000000E.00000002.343723068.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: WINE_GET_UNIX_FILE_NAME

Source: shipping docs.exe, 00000000.00000002.265489624.0000000002481000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000004.00000002.365709519.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 0000000E.00000002.343723068.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\shipping docs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\shipping docs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\shipping docs.exe TID: 2292	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe TID: 1708	Thread sleep time: -12912720851596678s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe TID: 6088	Thread sleep count: 9753 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe TID: 5596	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe TID: 3956	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe TID: 2092	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe TID: 4912	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe TID: 3324	Thread sleep count: 9727 > 30
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe TID: 908	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe TID: 1392	Thread sleep count: 9676 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\shipping docs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\shipping docs.exe	Window / User API: threadDelayed 9753			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Window / User API: threadDelayed 9727
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Window / User API: threadDelayed 9676

Source: C:\Users\user\Desktop\shipping docs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\shipping docs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\shipping docs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\shipping docs.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\shipping docs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Thread delayed: delay time: 922337203685477

Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: VMqTMMD.exe, 00000015.00000002.512897668.0000000001029000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllowerManagementCapabilities
Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: shipping docs.exe, 00000003.00000002.514223306.0000000001202000.00000004.00000020.00020000.00000000.sdmp, shipping docs.exe, 00000003.00000003.309409191.00000000011FB000.00000004.00000020.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.552042956.0000000006640000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Source: C:\Users\user\Desktop\shipping docs.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\shipping docs.exe

Code function: 3_2_0684DA38 LdrInitializeThunk,

3_2_0684DA38

Source: C:\Users\user\Desktop\shipping docs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\shipping docs.exe	Memory written: C:\Users\user\Desktop\shipping docs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Memory written: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Memory written: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\shipping docs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmp			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Process created: C:\Users\user\Desktop\shipping docs.exe {path}			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmpF5B7.tmp			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process created: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe {path}			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp3418.tmp
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process created: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe {path}

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Users\user\Desktop\shipping docs.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Users\user\Desktop\shipping docs.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\shipping docs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipping docs.exe PID: 3776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yVGAJfiVEvtg.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VMqTMMD.exe PID: 5228, type: MEMORYSTR

Source: Yara match	File source: 3.0.shipping docs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipping docs.exe.35d2730.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipping docs.exe.35d2730.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.262419819.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipping docs.exe PID: 2400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shipping docs.exe PID: 3776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yVGAJfiVEvtg.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VMqTMMD.exe PID: 5228, type: MEMORYSTR

Source: C:\Users\user\Desktop\shipping docs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: C:\Users\user\Desktop\shipping docs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Source: Yara match	File source: 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipping docs.exe PID: 3776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yVGAJfiVEvtg.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VMqTMMD.exe PID: 5228, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipping docs.exe PID: 3776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yVGAJfiVEvtg.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VMqTMMD.exe PID: 5228, type: MEMORYSTR

Source: Yara match	File source: 3.0.shipping docs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipping docs.exe.35d2730.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipping docs.exe.35d2730.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.262419819.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipping docs.exe PID: 2400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shipping docs.exe PID: 3776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yVGAJfiVEvtg.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VMqTMMD.exe PID: 5228, type: MEMORYSTR