Loading ...

Play interactive tourEdit tour

Analysis Report Shipping Document PP&BL Draft.exe

Overview

General Information

Sample Name:Shipping Document PP&BL Draft.exe
Analysis ID:289523
MD5:694d036934436a54746956bb0b692e5e
SHA1:d4be64a81ed25abdc6dc905f8b0724b0c3b2a1b4
SHA256:e2150f160d11a8a7917b38060171eceeb1d68209ca5c81394682b0d828f35ac9
Tags:AgentTesla

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Contains functionality to detect sleep reduction / modifications
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.630117857.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.630847988.00000000021E0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.630211114.0000000000445000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.630963240.0000000002252000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.368895263.00000000041A5000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.Shipping Document PP&BL Draft.exe.2250000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.Shipping Document PP&BL Draft.exe.4140000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                2.2.Shipping Document PP&BL Draft.exe.21e0000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.2.Shipping Document PP&BL Draft.exe.21e0000.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    2.2.Shipping Document PP&BL Draft.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 2 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: Shipping Document PP&BL Draft.exeAvira: detected
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Shipping Document PP&BL Draft.exeVirustotal: Detection: 53%Perma Link
                      Source: Shipping Document PP&BL Draft.exeReversingLabs: Detection: 41%
                      Machine Learning detection for sampleShow sources
                      Source: Shipping Document PP&BL Draft.exeJoe Sandbox ML: detected
                      Source: 2.2.Shipping Document PP&BL Draft.exe.2250000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.2.Shipping Document PP&BL Draft.exe.4140000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004088F0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,1_2_004088F0
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004059F4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_004059F4
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 4x nop then mov byte ptr [ebp-05h], 00000064h1_2_00463270
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 4x nop then mov byte ptr [ebp-06h], FFFFFFA0h1_2_00463270
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 4x nop then mov ecx, dword ptr [ebp-04h]1_2_00463270
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 4x nop then mov dl, byte ptr [eax]1_2_00463270
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 4x nop then xor dl, byte ptr [ebp-06h]1_2_00463270
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 4x nop then mov dl, byte ptr [ebp-05h]1_2_00463270
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 4x nop then inc edi1_2_00463270

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: Joe Sandbox ViewIP Address: 54.225.66.103 54.225.66.103
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: unknownDNS traffic detected: queries for: api.ipify.org
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.631903803.0000000002951000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.631903803.0000000002951000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.631903803.0000000002951000.00000004.00000001.sdmpString found in binary or memory: http://TGJZGr.com
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.633481807.0000000002C57000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.635632136.0000000005D74000.00000004.00000001.sdmpString found in binary or memory: http://crDllca.com/COMFuncNametionr
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.633481807.0000000002C57000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.633481807.0000000002C57000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.633481807.0000000002C57000.00000004.00000001.sdmpString found in binary or memory: http://elb097307-934924932.us-east-1.elb.amazonaws.com
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.633481807.0000000002C57000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.631903803.0000000002951000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.631903803.0000000002951000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.631903803.0000000002951000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.631903803.0000000002951000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org4
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.631903803.0000000002951000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                      Source: Shipping Document PP&BL Draft.exe, 00000001.00000002.368895263.00000000041A5000.00000040.00000001.sdmp, Shipping Document PP&BL Draft.exe, 00000002.00000002.630117857.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.631903803.0000000002951000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.633481807.0000000002C57000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                      Source: Shipping Document PP&BL Draft.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.631903803.0000000002951000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_00406FA6 OpenClipboard,1_2_00406FA6
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_00422D9C GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,1_2_00422D9C
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004393E0 GetKeyboardState,1_2_004393E0

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Shipping Document PP&BL Draft.exe
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0043C318 NtdllDefWindowProc_A,GetCapture,1_2_0043C318
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004570C8 NtdllDefWindowProc_A,1_2_004570C8
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0042F6FC NtdllDefWindowProc_A,1_2_0042F6FC
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_00457844 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,1_2_00457844
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004578F4 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,1_2_004578F4
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0044BCB8 GetSubMenu,SaveDC,RestoreDC,739EB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,1_2_0044BCB8
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_0043E159 NtCreateSection,2_2_0043E159
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0042F3EC1_2_0042F3EC
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0045179C1_2_0045179C
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0041D9A61_2_0041D9A6
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0044BCB81_2_0044BCB8
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_004379762_2_00437976
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_0043D13D2_2_0043D13D
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_028246802_2_02824680
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_0282356C2_2_0282356C
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_02823D222_2_02823D22
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_0282458F2_2_0282458F
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_028253512_2_02825351
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_0282D0602_2_0282D060
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_059BB4202_2_059BB420
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_059B138B2_2_059B138B
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_059BF3102_2_059BF310
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_059B06382_2_059B0638
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_059BB4102_2_059BB410
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_059BAB182_2_059BAB18
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_059BCE982_2_059BCE98
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_059C65082_2_059C6508
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_059C8CD82_2_059C8CD8
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_059C71202_2_059C7120
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_059CE2E32_2_059CE2E3
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_059CF5EA2_2_059CF5EA
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_059CF6B92_2_059CF6B9
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_059CF6AB2_2_059CF6AB
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_059C21732_2_059C2173
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_059C68502_2_059C6850
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_059CFA192_2_059CFA19
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_05E7A5B82_2_05E7A5B8
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_05E755802_2_05E75580
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_059BD7C82_2_059BD7C8
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: String function: 0040429C appears 71 times
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: String function: 004038FC appears 31 times
                      Source: Shipping Document PP&BL Draft.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: Shipping Document PP&BL Draft.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Shipping Document PP&BL Draft.exe, 00000001.00000002.368895263.00000000041A5000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameIAXWMUUfpgamPkGmYPbnjXMIvAJeLTgafHnEkrp.exe4 vs Shipping Document PP&BL Draft.exe
                      Source: Shipping Document PP&BL Draft.exe, 00000001.00000002.367412527.0000000002120000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Shipping Document PP&BL Draft.exe
                      Source: Shipping Document PP&BL Draft.exeBinary or memory string: OriginalFilename vs Shipping Document PP&BL Draft.exe
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.630458844.0000000000737000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Shipping Document PP&BL Draft.exe
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.630117857.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameIAXWMUUfpgamPkGmYPbnjXMIvAJeLTgafHnEkrp.exe4 vs Shipping Document PP&BL Draft.exe
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.630041362.0000000000197000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Shipping Document PP&BL Draft.exe
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.635256370.00000000056A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Shipping Document PP&BL Draft.exe
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeSection loaded: mscorwks.dllJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeSection loaded: mscorsec.dllJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeSection loaded: mscorjit.dllJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/0@2/1
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0041FD70 GetLastError,FormatMessageA,1_2_0041FD70
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_00408A68 GetDiskFreeSpaceA,1_2_00408A68
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004138D0 FindResourceA,1_2_004138D0
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Shipping Document PP&BL Draft.exeVirustotal: Detection: 53%
                      Source: Shipping Document PP&BL Draft.exeReversingLabs: Detection: 41%
                      Source: unknownProcess created: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe 'C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe 'C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe'
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess created: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe 'C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeUnpacked PE file: 2.2.Shipping Document PP&BL Draft.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeUnpacked PE file: 2.2.Shipping Document PP&BL Draft.exe.2250000.4.unpack
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeUnpacked PE file: 2.2.Shipping Document PP&BL Draft.exe.400000.0.unpack
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004430D4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,1_2_004430D4
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_00443720 push 004437ADh; ret 1_2_004437A5
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0041007C push 0041027Dh; ret 1_2_00410275
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_00410018 push 00410079h; ret 1_2_00410071
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004280D8 push 00428104h; ret 1_2_004280FC
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004260BC push 004260E8h; ret 1_2_004260E0
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_00410280 push 00410394h; ret 1_2_0041038C
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0044636C push 00446398h; ret 1_2_00446390
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_00410368 push 00410394h; ret 1_2_0041038C
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_00426374 push 004263A0h; ret 1_2_00426398
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0045C3F0 push 0045C41Ch; ret 1_2_0045C414
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0045C380 push 0045C3ACh; ret 1_2_0045C3A4
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0045C3B8 push 0045C3E4h; ret 1_2_0045C3DC
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_00444450 push ecx; mov dword ptr [esp], edx1_2_00444454
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0045C478 push 0045C4BBh; ret 1_2_0045C4B3
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0045C428 push 0045C454h; ret 1_2_0045C44C
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004064DE push 00406531h; ret 1_2_00406529
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004064E0 push 00406531h; ret 1_2_00406529
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0045C4E0 push 0045C523h; ret 1_2_0045C51B
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0045C544 push 0045C590h; ret 1_2_0045C588
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0045E508 push 0045E57Eh; ret 1_2_0045E576
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0042650C push 00426538h; ret 1_2_00426530
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0045C5D4 push 0045C600h; ret 1_2_0045C5F8
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0045C59C push 0045C5C8h; ret 1_2_0045C5C0
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_00416608 push ecx; mov dword ptr [esp], edx1_2_0041660A
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_00460608 push 00460634h; ret 1_2_0046062C
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004446F0 push ecx; mov dword ptr [esp], edx1_2_004446F4
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004066B0 push 004066DCh; ret 1_2_004066D4
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_00406740 push 0040676Ch; ret 1_2_00406764
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0044C770 push 0044C7DBh; ret 1_2_0044C7D3
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_00432970 push 004329DAh; ret 1_2_004329D2
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004449D0 push 004449FCh; ret 1_2_004449F4
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_00457150 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00457150
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_00454244 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_00454244
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0043E294 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_0043E294
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_00426744 IsIconic,GetWindowPlacement,GetWindowRect,1_2_00426744
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0043EB78 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_0043EB78
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_00457844 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,1_2_00457844
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004578F4 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,1_2_004578F4
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0043D9EC IsIconic,GetCapture,1_2_0043D9EC
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004430D4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,1_2_004430D4
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Contains functionality to detect sleep reduction / modificationsShow sources
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004328BC1_2_004328BC
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,1_2_00456724
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeWindow / User API: threadDelayed 828Jump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004328BC1_2_004328BC
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6836Thread sleep count: 142 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6836Thread sleep count: 828 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -59812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -59406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -58906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -58500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -57812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -57406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -57000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -84750s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -56312s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -55906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -55406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -54312s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -52406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -51906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -51500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -50406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -49500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -49312s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -48406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -48000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -47312s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -46906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -46000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -45812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -44906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -44500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -43812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -43406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -42500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -42312s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -41406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -41000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -40312s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -39906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -39000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -38812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -37906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -36812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -36406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -35500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -35312s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -34406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -34000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -33312s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -32906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -32000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -31812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -30906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe TID: 6864Thread sleep time: -30500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004633A0 GetSystemTime followed by cmp: cmp word ptr [esp+08h], 07dfh and CTI: jnc 004633C2h1_2_004633A0
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004088F0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,1_2_004088F0
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004059F4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_004059F4
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_00420300 GetSystemInfo,1_2_00420300
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.635256370.00000000056A0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.635256370.00000000056A0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.635256370.00000000056A0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.635588436.0000000005D50000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.635256370.00000000056A0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess queried: DebugFlagsJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess queried: DebugObjectHandleJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_004396F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_004396F3
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_0046321C VirtualProtect ?,00011837,00000104,?,000000FF,00000000,00011837,00003000,000000041_2_0046321C
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004430D4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,1_2_004430D4
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_0043D412 mov eax, dword ptr fs:[00000030h]2_2_0043D412
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_0043D4D0 mov eax, dword ptr fs:[00000030h]2_2_0043D4D0
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_00463420 KiUserExceptionDispatcher,GetModuleHandleA,GetProcAddress,GetSystemMetrics,GetSystemMetrics,RtlAddVectoredExceptionHandler,1_2_00463420
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_00438746 SetUnhandledExceptionFilter,2_2_00438746
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_004396F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_004396F3
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_0043BD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0043BD7F
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_00439BB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00439BB5
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeMemory protected: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Maps a DLL or memory area into another processShow sources
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeSection loaded: unknown target: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeProcess created: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe 'C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe' Jump to behavior
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.630779742.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.630779742.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: NProgram Manager
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.630779742.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Shipping Document PP&BL Draft.exe, 00000002.00000002.630779742.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,1_2_00405BAC
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: GetLocaleInfoA,GetACP,1_2_0040ABB8
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: GetLocaleInfoA,1_2_004098B8
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: GetLocaleInfoA,1_2_00409904
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,1_2_00405CB8
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: GetLocaleInfoA,2_2_0043CA4A
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeQueries volume information: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_004633A0 GetSystemTime,ExitProcess,GetSubMenu,GetSystemTimeAsFileTime,FileTimeToSystemTime,ExitProcess,ExitProcess,1_2_004633A0
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 2_2_059C223C GetUserNameW,2_2_059C223C
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeCode function: 1_2_00443720 GetVersion,1_2_00443720
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000002.00000002.630117857.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.630847988.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.630211114.0000000000445000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.630963240.0000000002252000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.368895263.00000000041A5000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.368845433.0000000004162000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.630913330.0000000002212000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Shipping Document PP&BL Draft.exe PID: 244, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Shipping Document PP&BL Draft.exe PID: 3332, type: MEMORY
                      Source: Yara matchFile source: 2.2.Shipping Document PP&BL Draft.exe.2250000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Shipping Document PP&BL Draft.exe.4140000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Shipping Document PP&BL Draft.exe.21e0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Shipping Document PP&BL Draft.exe.21e0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Shipping Document PP&BL Draft.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Shipping Document PP&BL Draft.exe.4160000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Shipping Document PP&BL Draft.exe.2210000.3.unpack, type: UNPACKEDPE
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\Shipping Document PP&BL Draft.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 00000002.00000002.631903803.0000000002951000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Shipping Document PP&BL Draft.exe PID: 244, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000002.00000002.630117857.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.630847988.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.630211114.0000000000445000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.630963240.0000000002252000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.368895263.00000000041A5000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.368845433.0000000004162000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.630913330.0000000002212000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Shipping Document PP&BL Draft.exe PID: 244, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Shipping Document PP&BL Draft.exe PID: 3332, type: MEMORY
                      Source: Yara matchFile source: 2.2.Shipping Document PP&BL Draft.exe.2250000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Shipping Document PP&BL Draft.exe.4140000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Shipping Document PP&BL Draft.exe.21e0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Shipping Document PP&BL Draft.exe.21e0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Shipping Document PP&BL Draft.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Shipping Document PP&BL Draft.exe.4160000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Shipping Document PP&BL Draft.exe.2210000.3.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools11OS Credential Dumping1System Time Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information1Input Capture11Account Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Process Injection112Obfuscated Files or Information3Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing31NTDSSystem Information Discovery128Distributed Component Object ModelInput Capture11Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSecurity Software Discovery251SSHClipboard Data2Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion14Cach