Analysis Report Original Shipment Document.exe

Overview

General Information

Sample Name: Original Shipment Document.exe
Analysis ID: 320278
MD5: 857d9deaf0fad01a7ec5dd82834d43be
SHA1: 82bf78bc3a8e29a5522c675b4d31e31283e5fd80
SHA256: db40431cb3b2ca4524e58a97e2bdb1853a8adf866a2b2f43ea05a2b65b34ae72
Tags: DHLexe

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Agent Tesla Trojan
Yara detected AgentTesla
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to detect sleep reduction / modifications
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: Original Shipment Document.exe.1848.12.memstr Malware Configuration Extractor: Agenttesla {"Username: ": " rGcp4B", "URL: ": "", "To: ": "finance@enmark.com.my", "ByHost: ": "mail.enmark.com.my:587", "Password: ": " U4Q6qXPgmf", "From: ": "finance@enmark.com.my"}
Source: Original Shipment Document.exe.1848.12.memstr Malware Configuration Extractor: Agenttesla {"Username: ": " rGcp4B", "URL: ": "", "To: ": "finance@enmark.com.my", "ByHost: ": "mail.enmark.com.my:587", "Password: ": " U4Q6qXPgmf", "From: ": "finance@enmark.com.my"}
Multi AV Scanner detection for submitted file
Source: Original Shipment Document.exe Virustotal: Detection: 31% Perma Link
Source: Original Shipment Document.exe Virustotal: Detection: 31% Perma Link
Machine Learning detection for sample
Source: Original Shipment Document.exe Joe Sandbox ML: detected
Source: Original Shipment Document.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 4.2.Original Shipment Document.exe.1f730000.4.unpack Avira: Label: TR/Spy.Agent.lkofd
Source: 12.2.Original Shipment Document.exe.2310000.3.unpack Avira: Label: TR/Spy.Agent.lkofd
Source: 12.2.Original Shipment Document.exe.ae0000.2.unpack Avira: Label: TR/Spy.Agent.lkofd
Source: 12.2.Original Shipment Document.exe.400000.0.unpack Avira: Label: TR/Spy.Agent.lkofd
Source: 4.2.Original Shipment Document.exe.1f730000.4.unpack Avira: Label: TR/Spy.Agent.lkofd
Source: 12.2.Original Shipment Document.exe.2310000.3.unpack Avira: Label: TR/Spy.Agent.lkofd
Source: 12.2.Original Shipment Document.exe.ae0000.2.unpack Avira: Label: TR/Spy.Agent.lkofd
Source: 12.2.Original Shipment Document.exe.400000.0.unpack Avira: Label: TR/Spy.Agent.lkofd
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00408938 FindFirstFileA,GetLastError, 0_2_00408938
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405AC0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00408938 FindFirstFileA,GetLastError, 0_2_00408938
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405AC0

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4x nop then mov ecx, dword ptr [edi+00000808h] 1_2_02340BC1
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4x nop then mov edi, dword ptr [ebp+20h] 1_2_023408EF
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4x nop then mov ecx, dword ptr [edi+00000808h] 1_2_023408EF
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4x nop then mov ecx, dword ptr [edi+00000808h] 1_2_02340BC1
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4x nop then mov edi, dword ptr [ebp+20h] 1_2_023408EF
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4x nop then mov ecx, dword ptr [edi+00000808h] 1_2_023408EF
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4x nop then mov ecx, dword ptr [edi+00000808h] 4_2_00560BC1
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4x nop then mov edi, dword ptr [ebp+20h] 4_2_005608EF
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4x nop then mov ecx, dword ptr [edi+00000808h] 4_2_005608EF

Networking:

barindex
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.amazonaws.com
Source: unknown DNS query: name: checkip.amazonaws.com
Source: unknown DNS query: name: checkip.amazonaws.com
Source: unknown DNS query: name: checkip.amazonaws.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49736 -> 110.4.45.145:587
Source: global traffic TCP traffic: 192.168.2.5:49736 -> 110.4.45.145:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 216.58.215.225 216.58.215.225
Source: Joe Sandbox View IP Address: 216.58.215.225 216.58.215.225
Source: Joe Sandbox View IP Address: 216.58.215.225 216.58.215.225
Source: Joe Sandbox View IP Address: 216.58.215.225 216.58.215.225
Source: Joe Sandbox View IP Address: 110.4.45.145 110.4.45.145
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY
Source: Joe Sandbox View ASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49736 -> 110.4.45.145:587
Source: global traffic TCP traffic: 192.168.2.5:49736 -> 110.4.45.145:587
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_023AA186 recv, 12_2_023AA186
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_023AA186 recv, 12_2_023AA186
Source: unknown DNS traffic detected: queries for: doc-0c-3k-docs.googleusercontent.com
Source: unknown DNS traffic detected: queries for: doc-0c-3k-docs.googleusercontent.com
Source: Original Shipment Document.exe, 0000000C.00000002.504812359.0000000002F24000.00000004.00000001.sdmp String found in binary or memory: http://checkip.amazonaws.com
Source: Original Shipment Document.exe, 0000000C.00000002.504800382.0000000002F1A000.00000004.00000001.sdmp String found in binary or memory: http://checkip.amazonaws.com/
Source: Original Shipment Document.exe, 0000000C.00000002.504812359.0000000002F24000.00000004.00000001.sdmp String found in binary or memory: http://checkip.amazonaws.comx&
Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Original Shipment Document.exe, 0000000C.00000002.505756785.0000000005EF0000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp, Original Shipment Document.exe, 0000000C.00000002.504792985.0000000002F15000.00000004.00000001.sdmp, Original Shipment Document.exe, 0000000C.00000002.504781050.0000000002EFE000.00000004.00000001.sdmp String found in binary or memory: http://pC7mVPB6Y4Irl4x.org
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: http://pC7mVPB6Y4Irl4x.orgh_G
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehpP3G
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/H
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/H
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp, Original Shipment Document.exe, 0000000C.00000002.499958957.0000000000574000.00000004.00000020.sdmp String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.phpH
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1P3G
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1P3G
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.phpH
Source: Original Shipment Document.exe, 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1H5J20cDnop7M6bMvKPeXGm49G-GMKovF
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/login.srf
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/login.srfH
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorizeH
Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/H
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.htmlH
Source: Original Shipment Document.exe, 0000000C.00000002.504812359.0000000002F24000.00000004.00000001.sdmp String found in binary or memory: http://checkip.amazonaws.com
Source: Original Shipment Document.exe, 0000000C.00000002.504800382.0000000002F1A000.00000004.00000001.sdmp String found in binary or memory: http://checkip.amazonaws.com/
Source: Original Shipment Document.exe, 0000000C.00000002.504812359.0000000002F24000.00000004.00000001.sdmp String found in binary or memory: http://checkip.amazonaws.comx&
Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Original Shipment Document.exe, 0000000C.00000002.505756785.0000000005EF0000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp, Original Shipment Document.exe, 0000000C.00000002.504792985.0000000002F15000.00000004.00000001.sdmp, Original Shipment Document.exe, 0000000C.00000002.504781050.0000000002EFE000.00000004.00000001.sdmp String found in binary or memory: http://pC7mVPB6Y4Irl4x.org
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: http://pC7mVPB6Y4Irl4x.orgh_G
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehpP3G
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/H
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/H
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp, Original Shipment Document.exe, 0000000C.00000002.499958957.0000000000574000.00000004.00000020.sdmp String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.phpH
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1P3G
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1P3G
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.phpH
Source: Original Shipment Document.exe, 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1H5J20cDnop7M6bMvKPeXGm49G-GMKovF
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/login.srf
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/login.srfH
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorizeH
Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/H
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.htmlH
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0040703E OpenClipboard, 0_2_0040703E
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0040703E OpenClipboard, 0_2_0040703E
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0043258C GetClipboardData,GlobalFix,GlobalUnWire, 0_2_0043258C
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0043258C GetClipboardData,GlobalFix,GlobalUnWire, 0_2_0043258C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0045BDA0 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA, 0_2_0045BDA0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0045BDA0 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA, 0_2_0045BDA0

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000C.00000002.504397357.0000000002CFA000.00000004.00000001.sdmp, type: MEMORY Matched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
Source: Process Memory Space: Original Shipment Document.exe PID: 1848, type: MEMORY Matched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
Source: 0000000C.00000002.504397357.0000000002CFA000.00000004.00000001.sdmp, type: MEMORY Matched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
Source: Process Memory Space: Original Shipment Document.exe PID: 1848, type: MEMORY Matched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
Yara detected Agent Tesla Trojan
Source: Yara match File source: 0000000C.00000002.504397357.0000000002CFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Original Shipment Document.exe PID: 1848, type: MEMORY
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Original Shipment Document.exe
Source: initial sample Static PE information: Filename: Original Shipment Document.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00457E74 NtdllDefWindowProc_A, 0_2_00457E74
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004585F0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_004585F0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004586A0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_004586A0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0042E8BC NtdllDefWindowProc_A, 0_2_0042E8BC
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0044CA64 GetSubMenu,SaveDC,RestoreDC,7378B080,SaveDC,RestoreDC,NtdllDefWindowProc_A, 0_2_0044CA64
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0043CE20 NtdllDefWindowProc_A,GetCapture, 0_2_0043CE20
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00457E74 NtdllDefWindowProc_A, 0_2_00457E74
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004585F0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_004585F0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004586A0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_004586A0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0042E8BC NtdllDefWindowProc_A, 0_2_0042E8BC
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0044CA64 GetSubMenu,SaveDC,RestoreDC,7378B080,SaveDC,RestoreDC,NtdllDefWindowProc_A, 0_2_0044CA64
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0043CE20 NtdllDefWindowProc_A,GetCapture, 0_2_0043CE20
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_02342A10 NtProtectVirtualMemory, 1_2_02342A10
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_02340F8C NtWriteVirtualMemory, 1_2_02340F8C
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_02340F5E NtWriteVirtualMemory, 1_2_02340F5E
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_02341167 NtWriteVirtualMemory, 1_2_02341167
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4_2_00561471 NtProtectVirtualMemory, 4_2_00561471
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4_2_00560D7C CreateThread,TerminateThread,NtProtectVirtualMemory, 4_2_00560D7C
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4_2_00562A10 NtProtectVirtualMemory, 4_2_00562A10
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4_2_00560DCE LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,NtProtectVirtualMemory, 4_2_00560DCE
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4_2_005613FD Sleep,LdrInitializeThunk,NtProtectVirtualMemory, 4_2_005613FD
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4_2_00562D90 NtSetInformationThread, 4_2_00562D90
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4_2_0056146B NtProtectVirtualMemory, 4_2_0056146B
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4_2_0056032B NtProtectVirtualMemory, 4_2_0056032B
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4_2_00562DCC NtSetInformationThread, 4_2_00562DCC
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4_2_00562D96 NtSetInformationThread, 4_2_00562D96
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_00452159 NtCreateSection, 12_2_00452159
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_05370476 NtQuerySystemInformation, 12_2_05370476
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_05370445 NtQuerySystemInformation, 12_2_05370445
Detected potential crypto function
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00452548 0_2_00452548
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0044CA64 0_2_0044CA64
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00452548 0_2_00452548
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0044CA64 0_2_0044CA64
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_004015DC 1_2_004015DC
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_00401E1B 1_2_00401E1B
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_00401E60 1_2_00401E60
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_00401ECA 1_2_00401ECA
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_00401ED1 1_2_00401ED1
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_00401ED4 1_2_00401ED4
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_00401EDC 1_2_00401EDC
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_00401EE8 1_2_00401EE8
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_00401EF0 1_2_00401EF0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_00401EF9 1_2_00401EF9
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_00401EA6 1_2_00401EA6
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_00401F05 1_2_00401F05
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_00401F08 1_2_00401F08
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_00401F10 1_2_00401F10
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_00401F18 1_2_00401F18
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_02341534 1_2_02341534
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_1_004015DC 1_1_004015DC
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_1_00401E1B 1_1_00401E1B
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_1_00401E60 1_1_00401E60
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_1_00401ECA 1_1_00401ECA
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_1_00401ED1 1_1_00401ED1
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_1_00401ED4 1_1_00401ED4
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_1_00401EDC 1_1_00401EDC
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_1_00401EE8 1_1_00401EE8
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_1_00401EF0 1_1_00401EF0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_1_00401EF9 1_1_00401EF9
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_1_00401EA6 1_1_00401EA6
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_1_00401F05 1_1_00401F05
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_1_00401F08 1_1_00401F08
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_1_00401F10 1_1_00401F10
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_1_00401F18 1_1_00401F18
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_0044B976 12_2_0044B976
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_0045113D 12_2_0045113D
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_04CFD342 12_2_04CFD342
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_04CFE897 12_2_04CFE897
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_04CFF459 12_2_04CFF459
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_04CFE20F 12_2_04CFE20F
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_04CFCF0F 12_2_04CFCF0F
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_04CFE92B 12_2_04CFE92B
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_04CFF928 12_2_04CFF928
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_04CFF938 12_2_04CFF938
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: String function: 00403980 appears 32 times
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: String function: 00404320 appears 75 times
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: String function: 00403980 appears 32 times
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: String function: 00404320 appears 75 times
Sample file is different than original file name gathered from version info
Source: Original Shipment Document.exe, 00000000.00000002.234335175.0000000002230000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000000.00000002.234491928.000000000251C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameThermolum.exe vs Original Shipment Document.exe
Source: Original Shipment Document.exe Binary or memory string: OriginalFilename vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Binary or memory string: OriginalFilenameThermolum.exe vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000001.00000002.273393170.0000000002200000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameThermolum.exeFE2XRibbon Turbino$ vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000001.00000002.273413707.0000000002320000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000004.00000002.332447123.000000001EE80000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000004.00000002.332467489.000000001EFD0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000004.00000002.332714204.000000001F732000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameIELibrary.dll4 vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000004.00000002.332714204.000000001F732000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameYLUNSZCIEWYCHRDUHOLIFUNMQVZGKYTSCPZZKDHF_20190607180258786.exe4 vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000004.00000002.332541744.000000001F2C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Original Shipment Document.exe
Source: Original Shipment Document.exe Binary or memory string: OriginalFilename vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505506746.00000000056F0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameIELibrary.dll4 vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.500431770.0000000000AE2000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameYLUNSZCIEWYCHRDUHOLIFUNMQVZGKYTSCPZZKDHF_20190607180258786.exe4 vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505299196.0000000005330000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.504152490.0000000002C20000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewbemdisp.tlbj% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505566735.0000000005760000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505634471.0000000005990000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx.mui vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000000.00000002.234335175.0000000002230000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000000.00000002.234491928.000000000251C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameThermolum.exe vs Original Shipment Document.exe
Source: Original Shipment Document.exe Binary or memory string: OriginalFilename vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Binary or memory string: OriginalFilenameThermolum.exe vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000001.00000002.273393170.0000000002200000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameThermolum.exeFE2XRibbon Turbino$ vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000001.00000002.273413707.0000000002320000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000004.00000002.332447123.000000001EE80000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000004.00000002.332467489.000000001EFD0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000004.00000002.332714204.000000001F732000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameIELibrary.dll4 vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000004.00000002.332714204.000000001F732000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameYLUNSZCIEWYCHRDUHOLIFUNMQVZGKYTSCPZZKDHF_20190607180258786.exe4 vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000004.00000002.332541744.000000001F2C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Original Shipment Document.exe
Source: Original Shipment Document.exe Binary or memory string: OriginalFilename vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505506746.00000000056F0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameIELibrary.dll4 vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.500431770.0000000000AE2000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameYLUNSZCIEWYCHRDUHOLIFUNMQVZGKYTSCPZZKDHF_20190607180258786.exe4 vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505299196.0000000005330000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.504152490.0000000002C20000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewbemdisp.tlbj% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505566735.0000000005760000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505634471.0000000005990000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx.mui vs Original Shipment Document.exe
Yara signature match
Source: 0000000C.00000002.504397357.0000000002CFA000.00000004.00000001.sdmp, type: MEMORY Matched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer
Source: Process Memory Space: Original Shipment Document.exe PID: 1848, type: MEMORY Matched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer
Source: 0000000C.00000002.504397357.0000000002CFA000.00000004.00000001.sdmp, type: MEMORY Matched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer
Source: Process Memory Space: Original Shipment Document.exe PID: 1848, type: MEMORY Matched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/0@3/2
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00420594 GetLastError,FormatMessageA, 0_2_00420594
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00420594 GetLastError,FormatMessageA, 0_2_00420594
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_053702FA AdjustTokenPrivileges, 12_2_053702FA
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_053702C3 AdjustTokenPrivileges, 12_2_053702C3
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_053702FA AdjustTokenPrivileges, 12_2_053702FA
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_053702C3 AdjustTokenPrivileges, 12_2_053702C3
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00408B02 GetDiskFreeSpaceA, 0_2_00408B02
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00408B02 GetDiskFreeSpaceA, 0_2_00408B02
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00416D64 FindResourceA,LoadResource,SizeofResource,LockResource, 0_2_00416D64
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00416D64 FindResourceA,LoadResource,SizeofResource,LockResource, 0_2_00416D64
Source: C:\Users\user\Desktop\Original Shipment Document.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\Original Shipment Document.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\Original Shipment Document.exe File created: C:\Users\user\AppData\Local\Temp\~DFBEC6A87608955887.TMP Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File created: C:\Users\user\AppData\Local\Temp\~DFBEC6A87608955887.TMP Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Original Shipment Document.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Original Shipment Document.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Original Shipment Document.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Original Shipment Document.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Original Shipment Document.exe Virustotal: Detection: 31%
Source: Original Shipment Document.exe Virustotal: Detection: 31%
Source: unknown Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
Source: unknown Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
Source: unknown Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
Source: unknown Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe' Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe' Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe' Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
Source: unknown Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
Source: unknown Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
Source: unknown Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe' Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe' Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe' Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: Original Shipment Document.exe
Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: Original Shipment Document.exe

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Original Shipment Document.exe Unpacked PE file: 1.2.Original Shipment Document.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.data:W;.rsrc:R;
Source: C:\Users\user\Desktop\Original Shipment Document.exe Unpacked PE file: 12.2.Original Shipment Document.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\Original Shipment Document.exe Unpacked PE file: 1.2.Original Shipment Document.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.data:W;.rsrc:R;
Source: C:\Users\user\Desktop\Original Shipment Document.exe Unpacked PE file: 12.2.Original Shipment Document.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\Original Shipment Document.exe Unpacked PE file: 12.2.Original Shipment Document.exe.2310000.3.unpack
Source: C:\Users\user\Desktop\Original Shipment Document.exe Unpacked PE file: 12.2.Original Shipment Document.exe.2310000.3.unpack
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Original Shipment Document.exe Unpacked PE file: 1.2.Original Shipment Document.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Original Shipment Document.exe Unpacked PE file: 12.2.Original Shipment Document.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Original Shipment Document.exe Unpacked PE file: 1.2.Original Shipment Document.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Original Shipment Document.exe Unpacked PE file: 12.2.Original Shipment Document.exe.400000.0.unpack
Yara detected GuLoader
Source: Yara match File source: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Original Shipment Document.exe PID: 5852, type: MEMORY
Source: Yara match File source: Process Memory Space: Original Shipment Document.exe PID: 5240, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: Original Shipment Document.exe PID: 5852, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 0_2_00443C20
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 0_2_00443C20
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00444250 push 004442DDh; ret 0_2_004442D5
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0040C020 push 0040C038h; ret 0_2_0040C030
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0040C03A push 0040C0ABh; ret 0_2_0040C0A3
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0040C03C push 0040C0ABh; ret 0_2_0040C0A3
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00410150 push 004101B1h; ret 0_2_004101A9
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0040C11A push 0040C148h; ret 0_2_0040C140
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0040C11C push 0040C148h; ret 0_2_0040C140
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0046C120 push 0046C153h; ret 0_2_0046C14B
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0046C1DC push 0046C208h; ret 0_2_0046C200
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0045A1D8 push ecx; mov dword ptr [esp], edx 0_2_0045A1DD
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004281DC push 00428208h; ret 0_2_00428200
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004441E8 push 0044424Eh; ret 0_2_00444246
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00428190 push 004281D1h; ret 0_2_004281C9
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004101B4 push 004103B5h; ret 0_2_004103AD
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00428214 push 0042824Ch; ret 0_2_00428244
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0046C22C push 0046C26Fh; ret 0_2_0046C267
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0041C234 push ecx; mov dword ptr [esp], edx 0_2_0041C239
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0046C2EC push 0046C318h; ret 0_2_0046C310
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0046C294 push 0046C2D7h; ret 0_2_0046C2CF
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00432364 push 004323BDh; ret 0_2_004323B5
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0046C324 push 0046C350h; ret 0_2_0046C348
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004263D8 push 004264A8h; ret 0_2_004264A0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004103B8 push 004104FCh; ret 0_2_004104F4
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00412470 push eax; retf 0041h 0_2_00412471
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0041A4C8 push ecx; mov dword ptr [esp], edx 0_2_0041A4CA
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004104D0 push 004104FCh; ret 0_2_004104F4
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0047055C push 00470588h; ret 0_2_00470580
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00406576 push 004065C9h; ret 0_2_004065C1
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00406578 push 004065C9h; ret 0_2_004065C1
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00428538 push 00428564h; ret 0_2_0042855C
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0042C5E4 push 0042C610h; ret 0_2_0042C608
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00444250 push 004442DDh; ret 0_2_004442D5
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0040C020 push 0040C038h; ret 0_2_0040C030
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0040C03A push 0040C0ABh; ret 0_2_0040C0A3
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0040C03C push 0040C0ABh; ret 0_2_0040C0A3
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00410150 push 004101B1h; ret 0_2_004101A9
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0040C11A push 0040C148h; ret 0_2_0040C140
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0040C11C push 0040C148h; ret 0_2_0040C140
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0046C120 push 0046C153h; ret 0_2_0046C14B
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0046C1DC push 0046C208h; ret 0_2_0046C200
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0045A1D8 push ecx; mov dword ptr [esp], edx 0_2_0045A1DD
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004281DC push 00428208h; ret 0_2_00428200
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004441E8 push 0044424Eh; ret 0_2_00444246
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00428190 push 004281D1h; ret 0_2_004281C9
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004101B4 push 004103B5h; ret 0_2_004103AD
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00428214 push 0042824Ch; ret 0_2_00428244
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0046C22C push 0046C26Fh; ret 0_2_0046C267
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0041C234 push ecx; mov dword ptr [esp], edx 0_2_0041C239
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0046C2EC push 0046C318h; ret 0_2_0046C310
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0046C294 push 0046C2D7h; ret 0_2_0046C2CF
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00432364 push 004323BDh; ret 0_2_004323B5
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0046C324 push 0046C350h; ret 0_2_0046C348
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004263D8 push 004264A8h; ret 0_2_004264A0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004103B8 push 004104FCh; ret 0_2_004104F4
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00412470 push eax; retf 0041h 0_2_00412471
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0041A4C8 push ecx; mov dword ptr [esp], edx 0_2_0041A4CA
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004104D0 push 004104FCh; ret 0_2_004104F4
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0047055C push 00470588h; ret 0_2_00470580
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00406576 push 004065C9h; ret 0_2_004065C1
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00406578 push 004065C9h; ret 0_2_004065C1
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00428538 push 00428564h; ret 0_2_0042855C
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0042C5E4 push 0042C610h; ret 0_2_0042C608

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00457EFC PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 0_2_00457EFC
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0043E4F4 IsIconic,GetCapture, 0_2_0043E4F4
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004585F0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_004585F0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004586A0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_004586A0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00426BA4 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00426BA4
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0043ED9C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 0_2_0043ED9C
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00454FF0 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 0_2_00454FF0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0043F680 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 0_2_0043F680
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00457EFC PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 0_2_00457EFC
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0043E4F4 IsIconic,GetCapture, 0_2_0043E4F4
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004585F0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_004585F0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004586A0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_004586A0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00426BA4 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00426BA4
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0043ED9C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 0_2_0043ED9C
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00454FF0 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 0_2_00454FF0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0043F680 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 0_2_0043F680
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 0_2_00443C20
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 0_2_00443C20
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Original Shipment Document.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_02342507 1_2_02342507
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_02342507 1_2_02342507
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4_2_00562507 4_2_00562507
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0043372C 0_2_0043372C
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0043372C 0_2_0043372C
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Original Shipment Document.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\Original Shipment Document.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Tries to detect Any.run
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Original Shipment Document.exe Binary or memory string: ROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Original Shipment Document.exe Binary or memory string: :\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Original Shipment Document.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Original Shipment Document.exe Binary or memory string: ROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Original Shipment Document.exe Binary or memory string: :\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Original Shipment Document.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Original Shipment Document.exe RDTSC instruction interceptor: First address: 000000000234250A second address: 000000000234252E instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 lfence 0x00000006 shl edx, 20h 0x00000009 nop 0x0000000a or edx, eax 0x0000000c clc 0x0000000d mov esi, edx 0x0000000f pushad 0x00000010 cld 0x00000011 mov eax, 00000001h 0x00000016 cpuid 0x00000018 bt ecx, 1Fh 0x0000001c nop 0x0000001d jc 00007F286C908C23h 0x0000001f cld 0x00000020 popad 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Original Shipment Document.exe RDTSC instruction interceptor: First address: 000000000234252E second address: 000000000234250A instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F286C90903Ah 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F286C909063h 0x0000001b push ecx 0x0000001c call 00007F286C90908Fh 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Original Shipment Document.exe RDTSC instruction interceptor: First address: 000000000056250A second address: 000000000056252E instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 lfence 0x00000006 shl edx, 20h 0x00000009 nop 0x0000000a or edx, eax 0x0000000c clc 0x0000000d mov esi, edx 0x0000000f pushad 0x00000010 cld 0x00000011 mov eax, 00000001h 0x00000016 cpuid 0x00000018 bt ecx, 1Fh 0x0000001c nop 0x0000001d jc 00007F286C908C23h 0x0000001f cld 0x00000020 popad 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Original Shipment Document.exe RDTSC instruction interceptor: First address: 000000000056252E second address: 000000000056250A instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F286C90903Ah 0x00000011 lfence 0x00000014 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_02342507 rdtsc 1_2_02342507
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_02342507 rdtsc 1_2_02342507
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 0_2_004574D0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 0_2_004574D0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Original Shipment Document.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Thread delayed: delay time: 1800000 Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Thread delayed: delay time: 1800000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Original Shipment Document.exe Window / User API: threadDelayed 593 Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Window / User API: threadDelayed 593 Jump to behavior
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0043372C 0_2_0043372C
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_0043372C 0_2_0043372C
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Original Shipment Document.exe TID: 3056 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe TID: 3056 Thread sleep time: -1800000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe TID: 3056 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe TID: 3056 Thread sleep time: -1800000s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Original Shipment Document.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Original Shipment Document.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Original Shipment Document.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Original Shipment Document.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\Original Shipment Document.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Original Shipment Document.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004703B0 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 004703CBh 0_2_004703B0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004703B0 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 004703CBh 0_2_004703B0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00408938 FindFirstFileA,GetLastError, 0_2_00408938
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405AC0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00408938 FindFirstFileA,GetLastError, 0_2_00408938
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405AC0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00420B24 GetSystemInfo, 0_2_00420B24
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00420B24 GetSystemInfo, 0_2_00420B24
Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Original Shipment Document.exe Binary or memory string: rogram Files\Qemu-ga\qemu-ga.exe
Source: Original Shipment Document.exe Binary or memory string: :\Program Files\Qemu-ga\qemu-ga.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Original Shipment Document.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Original Shipment Document.exe, 0000000C.00000002.499958957.0000000000574000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllMAC Layer LightWeight Filter-0000tA
Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Original Shipment Document.exe Binary or memory string: rogram Files\Qemu-ga\qemu-ga.exe
Source: Original Shipment Document.exe Binary or memory string: :\Program Files\Qemu-ga\qemu-ga.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Original Shipment Document.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Original Shipment Document.exe, 0000000C.00000002.499958957.0000000000574000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllMAC Layer LightWeight Filter-0000tA
Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Original Shipment Document.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process queried: DebugObjectHandle Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_02342507 rdtsc 1_2_02342507
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_02342507 rdtsc 1_2_02342507
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_02341AEA LdrInitializeThunk, 1_2_02341AEA
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_02341AEA LdrInitializeThunk, 1_2_02341AEA
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_0044D6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_0044D6F3
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_0044D6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_0044D6F3
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 0_2_00443C20
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 0_2_00443C20
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_0234222C mov eax, dword ptr fs:[00000030h] 1_2_0234222C
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_0234275C mov eax, dword ptr fs:[00000030h] 1_2_0234275C
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_02341385 mov eax, dword ptr fs:[00000030h] 1_2_02341385
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_02340BC1 mov eax, dword ptr fs:[00000030h] 1_2_02340BC1
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_02342445 mov eax, dword ptr fs:[00000030h] 1_2_02342445
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_02340CEF mov eax, dword ptr fs:[00000030h] 1_2_02340CEF
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_023408EF mov eax, dword ptr fs:[00000030h] 1_2_023408EF
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_0234222C mov eax, dword ptr fs:[00000030h] 1_2_0234222C
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_0234275C mov eax, dword ptr fs:[00000030h] 1_2_0234275C
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_02341385 mov eax, dword ptr fs:[00000030h] 1_2_02341385
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_02340BC1 mov eax, dword ptr fs:[00000030h] 1_2_02340BC1
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_02342445 mov eax, dword ptr fs:[00000030h] 1_2_02342445
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_02340CEF mov eax, dword ptr fs:[00000030h] 1_2_02340CEF
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 1_2_023408EF mov eax, dword ptr fs:[00000030h] 1_2_023408EF
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4_2_0056275C mov eax, dword ptr fs:[00000030h] 4_2_0056275C
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4_2_00562445 mov eax, dword ptr fs:[00000030h] 4_2_00562445
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4_2_0056222C mov eax, dword ptr fs:[00000030h] 4_2_0056222C
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4_2_00560BC1 mov eax, dword ptr fs:[00000030h] 4_2_00560BC1
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4_2_005608EF mov eax, dword ptr fs:[00000030h] 4_2_005608EF
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4_2_00561385 mov eax, dword ptr fs:[00000030h] 4_2_00561385
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_00451412 mov eax, dword ptr fs:[00000030h] 12_2_00451412
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_004514D0 mov eax, dword ptr fs:[00000030h] 12_2_004514D0
Enables debug privileges
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4_2_00560DCE LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,NtProtectVirtualMemory, 4_2_00560DCE
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 4_2_00560DCE LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,NtProtectVirtualMemory, 4_2_00560DCE
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_0044D6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_0044D6F3
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_0044C746 SetUnhandledExceptionFilter, 12_2_0044C746
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_0044FD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_0044FD7F
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_0044DBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_0044DBB5
Source: C:\Users\user\Desktop\Original Shipment Document.exe Memory protected: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Memory protected: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Original Shipment Document.exe Section loaded: unknown target: C:\Users\user\Desktop\Original Shipment Document.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Section loaded: unknown target: C:\Users\user\Desktop\Original Shipment Document.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Section loaded: unknown target: C:\Users\user\Desktop\Original Shipment Document.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Section loaded: unknown target: C:\Users\user\Desktop\Original Shipment Document.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Section loaded: unknown target: C:\Users\user\Desktop\Original Shipment Document.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Section loaded: unknown target: C:\Users\user\Desktop\Original Shipment Document.exe protection: execute and read and write Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe' Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe' Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe' Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe' Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe' Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe' Jump to behavior
Source: Original Shipment Document.exe, 0000000C.00000002.500534302.0000000000F00000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Original Shipment Document.exe, 0000000C.00000002.500534302.0000000000F00000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Original Shipment Document.exe, 0000000C.00000002.500534302.0000000000F00000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: Original Shipment Document.exe, 0000000C.00000002.500534302.0000000000F00000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: Original Shipment Document.exe, 0000000C.00000002.500534302.0000000000F00000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: Original Shipment Document.exe, 0000000C.00000002.500534302.0000000000F00000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Original Shipment Document.exe, 0000000C.00000002.500534302.0000000000F00000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Original Shipment Document.exe, 0000000C.00000002.500534302.0000000000F00000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: Original Shipment Document.exe, 0000000C.00000002.500534302.0000000000F00000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: Original Shipment Document.exe, 0000000C.00000002.500534302.0000000000F00000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_00405C78
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: GetLocaleInfoA,GetACP, 0_2_0040ACF0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: GetLocaleInfoA, 0_2_00409940
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: GetLocaleInfoA, 0_2_0040998C
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_00405D84
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_00405C78
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: GetLocaleInfoA,GetACP, 0_2_0040ACF0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: GetLocaleInfoA, 0_2_00409940
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: GetLocaleInfoA, 0_2_0040998C
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_00405D84
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: GetLocaleInfoA, 12_2_00450A4A
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Original Shipment Document.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004703B0 GetSystemTime,ExitProcess,6E1625A0, 0_2_004703B0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_004703B0 GetSystemTime,ExitProcess,6E1625A0, 0_2_004703B0
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_023AA5A2 GetUserNameW, 12_2_023AA5A2
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 12_2_023AA5A2 GetUserNameW, 12_2_023AA5A2
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00444250 GetVersion, 0_2_00444250
Source: C:\Users\user\Desktop\Original Shipment Document.exe Code function: 0_2_00444250 GetVersion, 0_2_00444250
Source: C:\Users\user\Desktop\Original Shipment Document.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Original Shipment Document.exe, 00000000.00000002.234035192.000000000019D000.00000004.00000010.sdmp Binary or memory string: avp.exe
Source: Original Shipment Document.exe, 00000000.00000002.234035192.000000000019D000.00000004.00000010.sdmp Binary or memory string: avp.exe

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000C.00000002.500431770.0000000000AE2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.499678365.0000000000459000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.499467401.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.332714204.000000001F732000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.500366577.0000000000A90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.500615250.0000000002312000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.332753801.000000001F789000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Original Shipment Document.exe PID: 1848, type: MEMORY
Source: Yara match File source: Process Memory Space: Original Shipment Document.exe PID: 5240, type: MEMORY
Source: Yara match File source: 12.2.Original Shipment Document.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Original Shipment Document.exe.a90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Original Shipment Document.exe.2310000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Original Shipment Document.exe.a90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Original Shipment Document.exe.1f730000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Original Shipment Document.exe.ae0000.2.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Original Shipment Document.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Original Shipment Document.exe PID: 1848, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000C.00000002.500431770.0000000000AE2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.499678365.0000000000459000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.499467401.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.332714204.000000001F732000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.500366577.0000000000A90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.500615250.0000000002312000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.332753801.000000001F789000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Original Shipment Document.exe PID: 1848, type: MEMORY
Source: Yara match File source: Process Memory Space: Original Shipment Document.exe PID: 5240, type: MEMORY
Source: Yara match File source: 12.2.Original Shipment Document.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Original Shipment Document.exe.a90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Original Shipment Document.exe.2310000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Original Shipment Document.exe.a90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Original Shipment Document.exe.1f730000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Original Shipment Document.exe.ae0000.2.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 320278 Sample: Original Shipment Document.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 100 23 checkip.us-east-1.prod.check-ip.aws.a2z.com 2->23 25 checkip.check-ip.aws.a2z.com 2->25 27 checkip.amazonaws.com 2->27 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 15 other signatures 2->49 9 Original Shipment Document.exe 2->9         started        signatures3 process4 signatures5 59 Maps a DLL or memory area into another process 9->59 12 Original Shipment Document.exe 1 9->12         started        process6 signatures7 61 Tries to detect Any.run 12->61 63 Hides threads from debuggers 12->63 15 Original Shipment Document.exe 6 12->15         started        process8 dnsIp9 33 googlehosted.l.googleusercontent.com 216.58.215.225, 443, 49728 GOOGLEUS United States 15->33 35 doc-0c-3k-docs.googleusercontent.com 15->35 37 Tries to detect Any.run 15->37 39 Maps a DLL or memory area into another process 15->39 41 Hides threads from debuggers 15->41 19 Original Shipment Document.exe 16 15->19         started        signatures10 process11 dnsIp12 29 enmark.com.my 110.4.45.145, 49736, 49740, 587 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 19->29 31 mail.enmark.com.my 19->31 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->51 53 Tries to steal Mail credentials (via file access) 19->53 55 Tries to harvest and steal ftp login credentials 19->55 57 Tries to harvest and steal browser information (history, passwords, etc) 19->57 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
216.58.215.225
 unknown United States
15169 GOOGLEUS false
110.4.45.145
 unknown Malaysia
46015 EXABYTES-AS-APExaBytesNetworkSdnBhdMY true

Contacted Domains

Name IP Active
checkip.us-east-1.prod.check-ip.aws.a2z.com 52.206.184.85 true
googlehosted.l.googleusercontent.com 216.58.215.225 true
enmark.com.my 110.4.45.145 true
mail.enmark.com.my unknown unknown
checkip.amazonaws.com unknown unknown
doc-0c-3k-docs.googleusercontent.com unknown unknown