Loading ...

Play interactive tourEdit tour

Analysis Report Original Shipment Document.exe

Overview

General Information

Sample Name:Original Shipment Document.exe
Analysis ID:320278
MD5:857d9deaf0fad01a7ec5dd82834d43be
SHA1:82bf78bc3a8e29a5522c675b4d31e31283e5fd80
SHA256:db40431cb3b2ca4524e58a97e2bdb1853a8adf866a2b2f43ea05a2b65b34ae72
Tags:DHLexe

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Agent Tesla Trojan
Yara detected AgentTesla
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to detect sleep reduction / modifications
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": " rGcp4B", "URL: ": "", "To: ": "finance@enmark.com.my", "ByHost: ": "mail.enmark.com.my:587", "Password: ": " U4Q6qXPgmf", "From: ": "finance@enmark.com.my"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.500431770.0000000000AE2000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000C.00000002.499678365.0000000000459000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000C.00000002.499467401.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            12.2.Original Shipment Document.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              12.2.Original Shipment Document.exe.a90000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                12.2.Original Shipment Document.exe.2310000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  12.2.Original Shipment Document.exe.a90000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    4.2.Original Shipment Document.exe.1f730000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: Original Shipment Document.exe.1848.12.memstrMalware Configuration Extractor: Agenttesla {"Username: ": " rGcp4B", "URL: ": "", "To: ": "finance@enmark.com.my", "ByHost: ": "mail.enmark.com.my:587", "Password: ": " U4Q6qXPgmf", "From: ": "finance@enmark.com.my"}
                      Source: Original Shipment Document.exe.1848.12.memstrMalware Configuration Extractor: Agenttesla {"Username: ": " rGcp4B", "URL: ": "", "To: ": "finance@enmark.com.my", "ByHost: ": "mail.enmark.com.my:587", "Password: ": " U4Q6qXPgmf", "From: ": "finance@enmark.com.my"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Original Shipment Document.exeVirustotal: Detection: 31%Perma Link
                      Source: Original Shipment Document.exeVirustotal: Detection: 31%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: Original Shipment Document.exeJoe Sandbox ML: detected
                      Source: Original Shipment Document.exeJoe Sandbox ML: detected
                      Source: 4.2.Original Shipment Document.exe.1f730000.4.unpackAvira: Label: TR/Spy.Agent.lkofd
                      Source: 12.2.Original Shipment Document.exe.2310000.3.unpackAvira: Label: TR/Spy.Agent.lkofd
                      Source: 12.2.Original Shipment Document.exe.ae0000.2.unpackAvira: Label: TR/Spy.Agent.lkofd
                      Source: 12.2.Original Shipment Document.exe.400000.0.unpackAvira: Label: TR/Spy.Agent.lkofd
                      Source: 4.2.Original Shipment Document.exe.1f730000.4.unpackAvira: Label: TR/Spy.Agent.lkofd
                      Source: 12.2.Original Shipment Document.exe.2310000.3.unpackAvira: Label: TR/Spy.Agent.lkofd
                      Source: 12.2.Original Shipment Document.exe.ae0000.2.unpackAvira: Label: TR/Spy.Agent.lkofd
                      Source: 12.2.Original Shipment Document.exe.400000.0.unpackAvira: Label: TR/Spy.Agent.lkofd
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00408938 FindFirstFileA,GetLastError,0_2_00408938
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405AC0
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00408938 FindFirstFileA,GetLastError,0_2_00408938
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405AC0
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 4x nop then mov ecx, dword ptr [edi+00000808h]1_2_02340BC1
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 4x nop then mov edi, dword ptr [ebp+20h]1_2_023408EF
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 4x nop then mov ecx, dword ptr [edi+00000808h]1_2_023408EF
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 4x nop then mov ecx, dword ptr [edi+00000808h]1_2_02340BC1
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 4x nop then mov edi, dword ptr [ebp+20h]1_2_023408EF
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 4x nop then mov ecx, dword ptr [edi+00000808h]1_2_023408EF
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 4x nop then mov ecx, dword ptr [edi+00000808h]4_2_00560BC1
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 4x nop then mov edi, dword ptr [ebp+20h]4_2_005608EF
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 4x nop then mov ecx, dword ptr [edi+00000808h]4_2_005608EF

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: unknownDNS query: name: checkip.amazonaws.com
                      Source: unknownDNS query: name: checkip.amazonaws.com
                      Source: unknownDNS query: name: checkip.amazonaws.com
                      Source: unknownDNS query: name: checkip.amazonaws.com
                      Source: global trafficTCP traffic: 192.168.2.5:49736 -> 110.4.45.145:587
                      Source: global trafficTCP traffic: 192.168.2.5:49736 -> 110.4.45.145:587
                      Source: Joe Sandbox ViewIP Address: 216.58.215.225 216.58.215.225
                      Source: Joe Sandbox ViewIP Address: 216.58.215.225 216.58.215.225
                      Source: Joe Sandbox ViewIP Address: 216.58.215.225 216.58.215.225
                      Source: Joe Sandbox ViewIP Address: 216.58.215.225 216.58.215.225
                      Source: Joe Sandbox ViewIP Address: 110.4.45.145 110.4.45.145
                      Source: Joe Sandbox ViewASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY
                      Source: Joe Sandbox ViewASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: global trafficTCP traffic: 192.168.2.5:49736 -> 110.4.45.145:587
                      Source: global trafficTCP traffic: 192.168.2.5:49736 -> 110.4.45.145:587
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 12_2_023AA186 recv,12_2_023AA186
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 12_2_023AA186 recv,12_2_023AA186
                      Source: unknownDNS traffic detected: queries for: doc-0c-3k-docs.googleusercontent.com
                      Source: unknownDNS traffic detected: queries for: doc-0c-3k-docs.googleusercontent.com
                      Source: Original Shipment Document.exe, 0000000C.00000002.504812359.0000000002F24000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com
                      Source: Original Shipment Document.exe, 0000000C.00000002.504800382.0000000002F1A000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com/
                      Source: Original Shipment Document.exe, 0000000C.00000002.504812359.0000000002F24000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.comx&
                      Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: Original Shipment Document.exe, 0000000C.00000002.505756785.0000000005EF0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                      Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp, Original Shipment Document.exe, 0000000C.00000002.504792985.0000000002F15000.00000004.00000001.sdmp, Original Shipment Document.exe, 0000000C.00000002.504781050.0000000002EFE000.00000004.00000001.sdmpString found in binary or memory: http://pC7mVPB6Y4Irl4x.org
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: http://pC7mVPB6Y4Irl4x.orgh_G
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpP3G
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/H
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/H
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp, Original Shipment Document.exe, 0000000C.00000002.499958957.0000000000574000.00000004.00000020.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phpH
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1P3G
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1P3G
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.phpH
                      Source: Original Shipment Document.exe, 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1H5J20cDnop7M6bMvKPeXGm49G-GMKovF
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srfH
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorizeH
                      Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/H
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.htmlH
                      Source: Original Shipment Document.exe, 0000000C.00000002.504812359.0000000002F24000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com
                      Source: Original Shipment Document.exe, 0000000C.00000002.504800382.0000000002F1A000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com/
                      Source: Original Shipment Document.exe, 0000000C.00000002.504812359.0000000002F24000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.comx&
                      Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: Original Shipment Document.exe, 0000000C.00000002.505756785.0000000005EF0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                      Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp, Original Shipment Document.exe, 0000000C.00000002.504792985.0000000002F15000.00000004.00000001.sdmp, Original Shipment Document.exe, 0000000C.00000002.504781050.0000000002EFE000.00000004.00000001.sdmpString found in binary or memory: http://pC7mVPB6Y4Irl4x.org
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: http://pC7mVPB6Y4Irl4x.orgh_G
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpP3G
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/H
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/H
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp, Original Shipment Document.exe, 0000000C.00000002.499958957.0000000000574000.00000004.00000020.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phpH
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1P3G
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1P3G
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.phpH
                      Source: Original Shipment Document.exe, 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1H5J20cDnop7M6bMvKPeXGm49G-GMKovF
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srfH
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorizeH
                      Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/H
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
                      Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.htmlH
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0040703E OpenClipboard,0_2_0040703E
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0040703E OpenClipboard,0_2_0040703E
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0043258C GetClipboardData,GlobalFix,GlobalUnWire,0_2_0043258C
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0043258C GetClipboardData,GlobalFix,GlobalUnWire,0_2_0043258C
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0045BDA0 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,0_2_0045BDA0
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0045BDA0 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,0_2_0045BDA0

                      System Summary:

                      barindex
                      Malicious sample detected (through community Yara rule)Show sources
                      Source: 0000000C.00000002.504397357.0000000002CFA000.00000004.00000001.sdmp, type: MEMORYMatched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
                      Source: Process Memory Space: Original Shipment Document.exe PID: 1848, type: MEMORYMatched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
                      Source: 0000000C.00000002.504397357.0000000002CFA000.00000004.00000001.sdmp, type: MEMORYMatched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
                      Source: Process Memory Space: Original Shipment Document.exe PID: 1848, type: MEMORYMatched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
                      Yara detected Agent Tesla TrojanShow sources
                      Source: Yara matchFile source: 0000000C.00000002.504397357.0000000002CFA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Original Shipment Document.exe PID: 1848, type: MEMORY
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Original Shipment Document.exe
                      Source: initial sampleStatic PE information: Filename: Original Shipment Document.exe
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00457E74 NtdllDefWindowProc_A,0_2_00457E74
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004585F0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_004585F0
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004586A0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_004586A0
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0042E8BC NtdllDefWindowProc_A,0_2_0042E8BC
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0044CA64 GetSubMenu,SaveDC,RestoreDC,7378B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0044CA64
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0043CE20 NtdllDefWindowProc_A,GetCapture,0_2_0043CE20
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00457E74 NtdllDefWindowProc_A,0_2_00457E74
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004585F0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_004585F0
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004586A0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_004586A0
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0042E8BC NtdllDefWindowProc_A,0_2_0042E8BC
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0044CA64 GetSubMenu,SaveDC,RestoreDC,7378B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0044CA64
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0043CE20 NtdllDefWindowProc_A,GetCapture,0_2_0043CE20
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_2_02342A10 NtProtectVirtualMemory,1_2_02342A10
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_2_02340F8C NtWriteVirtualMemory,1_2_02340F8C
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_2_02340F5E NtWriteVirtualMemory,1_2_02340F5E
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_2_02341167 NtWriteVirtualMemory,1_2_02341167
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 4_2_00561471 NtProtectVirtualMemory,4_2_00561471
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 4_2_00560D7C CreateThread,TerminateThread,NtProtectVirtualMemory,4_2_00560D7C
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 4_2_00562A10 NtProtectVirtualMemory,4_2_00562A10
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 4_2_00560DCE LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,NtProtectVirtualMemory,4_2_00560DCE
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 4_2_005613FD Sleep,LdrInitializeThunk,NtProtectVirtualMemory,4_2_005613FD
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 4_2_00562D90 NtSetInformationThread,4_2_00562D90
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 4_2_0056146B NtProtectVirtualMemory,4_2_0056146B
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 4_2_0056032B NtProtectVirtualMemory,4_2_0056032B
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 4_2_00562DCC NtSetInformationThread,4_2_00562DCC
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 4_2_00562D96 NtSetInformationThread,4_2_00562D96
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 12_2_00452159 NtCreateSection,12_2_00452159
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 12_2_05370476 NtQuerySystemInformation,12_2_05370476
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 12_2_05370445 NtQuerySystemInformation,12_2_05370445
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004525480_2_00452548
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0044CA640_2_0044CA64
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004525480_2_00452548
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0044CA640_2_0044CA64
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_2_004015DC1_2_004015DC
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_2_00401E1B1_2_00401E1B
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_2_00401E601_2_00401E60
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_2_00401ECA1_2_00401ECA
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_2_00401ED11_2_00401ED1
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_2_00401ED41_2_00401ED4
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_2_00401EDC1_2_00401EDC
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_2_00401EE81_2_00401EE8
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_2_00401EF01_2_00401EF0
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_2_00401EF91_2_00401EF9
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_2_00401EA61_2_00401EA6
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_2_00401F051_2_00401F05
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_2_00401F081_2_00401F08
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_2_00401F101_2_00401F10
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_2_00401F181_2_00401F18
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_2_023415341_2_02341534
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_1_004015DC1_1_004015DC
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_1_00401E1B1_1_00401E1B
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_1_00401E601_1_00401E60
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_1_00401ECA1_1_00401ECA
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_1_00401ED11_1_00401ED1
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_1_00401ED41_1_00401ED4
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_1_00401EDC1_1_00401EDC
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_1_00401EE81_1_00401EE8
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_1_00401EF01_1_00401EF0
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_1_00401EF91_1_00401EF9
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_1_00401EA61_1_00401EA6
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_1_00401F051_1_00401F05
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_1_00401F081_1_00401F08
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_1_00401F101_1_00401F10
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 1_1_00401F181_1_00401F18
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 12_2_0044B97612_2_0044B976
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 12_2_0045113D12_2_0045113D
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 12_2_04CFD34212_2_04CFD342
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 12_2_04CFE89712_2_04CFE897
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 12_2_04CFF45912_2_04CFF459
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 12_2_04CFE20F12_2_04CFE20F
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 12_2_04CFCF0F12_2_04CFCF0F
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 12_2_04CFE92B12_2_04CFE92B
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 12_2_04CFF92812_2_04CFF928
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 12_2_04CFF93812_2_04CFF938
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: String function: 00403980 appears 32 times
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: String function: 00404320 appears 75 times
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: String function: 00403980 appears 32 times
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: String function: 00404320 appears 75 times
                      Source: Original Shipment Document.exe, 00000000.00000002.234335175.0000000002230000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 00000000.00000002.234491928.000000000251C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameThermolum.exe vs Original Shipment Document.exe
                      Source: Original Shipment Document.exeBinary or memory string: OriginalFilename vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameThermolum.exe vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 00000001.00000002.273393170.0000000002200000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameThermolum.exeFE2XRibbon Turbino$ vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 00000001.00000002.273413707.0000000002320000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 00000004.00000002.332447123.000000001EE80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 00000004.00000002.332467489.000000001EFD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 00000004.00000002.332714204.000000001F732000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 00000004.00000002.332714204.000000001F732000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameYLUNSZCIEWYCHRDUHOLIFUNMQVZGKYTSCPZZKDHF_20190607180258786.exe4 vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 00000004.00000002.332541744.000000001F2C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Original Shipment Document.exe
                      Source: Original Shipment Document.exeBinary or memory string: OriginalFilename vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 0000000C.00000002.505506746.00000000056F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 0000000C.00000002.500431770.0000000000AE2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameYLUNSZCIEWYCHRDUHOLIFUNMQVZGKYTSCPZZKDHF_20190607180258786.exe4 vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 0000000C.00000002.505299196.0000000005330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 0000000C.00000002.504152490.0000000002C20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 0000000C.00000002.505566735.0000000005760000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 0000000C.00000002.505634471.0000000005990000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 00000000.00000002.234335175.0000000002230000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 00000000.00000002.234491928.000000000251C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameThermolum.exe vs Original Shipment Document.exe
                      Source: Original Shipment Document.exeBinary or memory string: OriginalFilename vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameThermolum.exe vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 00000001.00000002.273393170.0000000002200000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameThermolum.exeFE2XRibbon Turbino$ vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 00000001.00000002.273413707.0000000002320000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 00000004.00000002.332447123.000000001EE80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 00000004.00000002.332467489.000000001EFD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 00000004.00000002.332714204.000000001F732000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 00000004.00000002.332714204.000000001F732000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameYLUNSZCIEWYCHRDUHOLIFUNMQVZGKYTSCPZZKDHF_20190607180258786.exe4 vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 00000004.00000002.332541744.000000001F2C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Original Shipment Document.exe
                      Source: Original Shipment Document.exeBinary or memory string: OriginalFilename vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 0000000C.00000002.505506746.00000000056F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 0000000C.00000002.500431770.0000000000AE2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameYLUNSZCIEWYCHRDUHOLIFUNMQVZGKYTSCPZZKDHF_20190607180258786.exe4 vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 0000000C.00000002.505299196.0000000005330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 0000000C.00000002.504152490.0000000002C20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 0000000C.00000002.505566735.0000000005760000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Original Shipment Document.exe
                      Source: Original Shipment Document.exe, 0000000C.00000002.505634471.0000000005990000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Original Shipment Document.exe
                      Source: 0000000C.00000002.504397357.0000000002CFA000.00000004.00000001.sdmp, type: MEMORYMatched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer
                      Source: Process Memory Space: Original Shipment Document.exe PID: 1848, type: MEMORYMatched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer
                      Source: 0000000C.00000002.504397357.0000000002CFA000.00000004.00000001.sdmp, type: MEMORYMatched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer
                      Source: Process Memory Space: Original Shipment Document.exe PID: 1848, type: MEMORYMatched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@3/2
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00420594 GetLastError,FormatMessageA,0_2_00420594
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00420594 GetLastError,FormatMessageA,0_2_00420594
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 12_2_053702FA AdjustTokenPrivileges,12_2_053702FA
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 12_2_053702C3 AdjustTokenPrivileges,12_2_053702C3
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 12_2_053702FA AdjustTokenPrivileges,12_2_053702FA
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 12_2_053702C3 AdjustTokenPrivileges,12_2_053702C3
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00408B02 GetDiskFreeSpaceA,0_2_00408B02
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00408B02 GetDiskFreeSpaceA,0_2_00408B02
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00416D64 FindResourceA,LoadResource,SizeofResource,LockResource,0_2_00416D64
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00416D64 FindResourceA,LoadResource,SizeofResource,LockResource,0_2_00416D64
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeFile created: C:\Users\user\AppData\Local\Temp\~DFBEC6A87608955887.TMPJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeFile created: C:\Users\user\AppData\Local\Temp\~DFBEC6A87608955887.TMPJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Original Shipment Document.exeVirustotal: Detection: 31%
                      Source: Original Shipment Document.exeVirustotal: Detection: 31%
                      Source: unknownProcess created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe' Jump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                      Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: Original Shipment Document.exe
                      Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: Original Shipment Document.exe

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeUnpacked PE file: 1.2.Original Shipment Document.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.data:W;.rsrc:R;
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeUnpacked PE file: 12.2.Original Shipment Document.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeUnpacked PE file: 1.2.Original Shipment Document.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.data:W;.rsrc:R;
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeUnpacked PE file: 12.2.Original Shipment Document.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeUnpacked PE file: 12.2.Original Shipment Document.exe.2310000.3.unpack
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeUnpacked PE file: 12.2.Original Shipment Document.exe.2310000.3.unpack
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeUnpacked PE file: 1.2.Original Shipment Document.exe.400000.0.unpack
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeUnpacked PE file: 12.2.Original Shipment Document.exe.400000.0.unpack
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeUnpacked PE file: 1.2.Original Shipment Document.exe.400000.0.unpack
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeUnpacked PE file: 12.2.Original Shipment Document.exe.400000.0.unpack
                      Yara detected GuLoaderShow sources
                      Source: Yara matchFile source: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Original Shipment Document.exe PID: 5852, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Original Shipment Document.exe PID: 5240, type: MEMORY
                      Yara detected VB6 Downloader GenericShow sources
                      Source: Yara matchFile source: Process Memory Space: Original Shipment Document.exe PID: 5852, type: MEMORY
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_00443C20
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_00443C20
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00444250 push 004442DDh; ret 0_2_004442D5
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0040C020 push 0040C038h; ret 0_2_0040C030
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0040C03A push 0040C0ABh; ret 0_2_0040C0A3
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0040C03C push 0040C0ABh; ret 0_2_0040C0A3
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00410150 push 004101B1h; ret 0_2_004101A9
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0040C11A push 0040C148h; ret 0_2_0040C140
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0040C11C push 0040C148h; ret 0_2_0040C140
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0046C120 push 0046C153h; ret 0_2_0046C14B
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0046C1DC push 0046C208h; ret 0_2_0046C200
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0045A1D8 push ecx; mov dword ptr [esp], edx0_2_0045A1DD
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004281DC push 00428208h; ret 0_2_00428200
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004441E8 push 0044424Eh; ret 0_2_00444246
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00428190 push 004281D1h; ret 0_2_004281C9
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004101B4 push 004103B5h; ret 0_2_004103AD
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00428214 push 0042824Ch; ret 0_2_00428244
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0046C22C push 0046C26Fh; ret 0_2_0046C267
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0041C234 push ecx; mov dword ptr [esp], edx0_2_0041C239
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0046C2EC push 0046C318h; ret 0_2_0046C310
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0046C294 push 0046C2D7h; ret 0_2_0046C2CF
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00432364 push 004323BDh; ret 0_2_004323B5
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0046C324 push 0046C350h; ret 0_2_0046C348
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004263D8 push 004264A8h; ret 0_2_004264A0
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004103B8 push 004104FCh; ret 0_2_004104F4
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00412470 push eax; retf 0041h0_2_00412471
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0041A4C8 push ecx; mov dword ptr [esp], edx0_2_0041A4CA
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004104D0 push 004104FCh; ret 0_2_004104F4
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0047055C push 00470588h; ret 0_2_00470580
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00406576 push 004065C9h; ret 0_2_004065C1
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00406578 push 004065C9h; ret 0_2_004065C1
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00428538 push 00428564h; ret 0_2_0042855C
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0042C5E4 push 0042C610h; ret 0_2_0042C608
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00444250 push 004442DDh; ret 0_2_004442D5
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0040C020 push 0040C038h; ret 0_2_0040C030
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0040C03A push 0040C0ABh; ret 0_2_0040C0A3
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0040C03C push 0040C0ABh; ret 0_2_0040C0A3
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00410150 push 004101B1h; ret 0_2_004101A9
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0040C11A push 0040C148h; ret 0_2_0040C140
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0040C11C push 0040C148h; ret 0_2_0040C140
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0046C120 push 0046C153h; ret 0_2_0046C14B
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0046C1DC push 0046C208h; ret 0_2_0046C200
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0045A1D8 push ecx; mov dword ptr [esp], edx0_2_0045A1DD
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004281DC push 00428208h; ret 0_2_00428200
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004441E8 push 0044424Eh; ret 0_2_00444246
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00428190 push 004281D1h; ret 0_2_004281C9
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004101B4 push 004103B5h; ret 0_2_004103AD
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00428214 push 0042824Ch; ret 0_2_00428244
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0046C22C push 0046C26Fh; ret 0_2_0046C267
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0041C234 push ecx; mov dword ptr [esp], edx0_2_0041C239
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0046C2EC push 0046C318h; ret 0_2_0046C310
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0046C294 push 0046C2D7h; ret 0_2_0046C2CF
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00432364 push 004323BDh; ret 0_2_004323B5
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0046C324 push 0046C350h; ret 0_2_0046C348
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004263D8 push 004264A8h; ret 0_2_004264A0
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004103B8 push 004104FCh; ret 0_2_004104F4
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00412470 push eax; retf 0041h0_2_00412471
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0041A4C8 push ecx; mov dword ptr [esp], edx0_2_0041A4CA
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004104D0 push 004104FCh; ret 0_2_004104F4
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0047055C push 00470588h; ret 0_2_00470580
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00406576 push 004065C9h; ret 0_2_004065C1
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00406578 push 004065C9h; ret 0_2_004065C1
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00428538 push 00428564h; ret 0_2_0042855C
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0042C5E4 push 0042C610h; ret 0_2_0042C608
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00457EFC PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_00457EFC
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0043E4F4 IsIconic,GetCapture,0_2_0043E4F4
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004585F0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_004585F0
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004586A0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_004586A0
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00426BA4 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00426BA4
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0043ED9C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_0043ED9C
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00454FF0 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_00454FF0
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0043F680 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_0043F680
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00457EFC PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_00457EFC
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0043E4F4 IsIconic,GetCapture,0_2_0043E4F4
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004585F0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_004585F0
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_004586A0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_004586A0
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00426BA4 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00426BA4
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0043ED9C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_0043ED9C
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00454FF0 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_00454FF0
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_0043F680 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_0043F680
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_00443C20
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeCode function: 0_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_00443C20
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Original Shipment Document.exeProcess information set: NOOPENFILEERRORBOX