Loading ...

Play interactive tourEdit tour

Windows Analysis Report Shipment Document BLINV and packing list.jpg.exe

Overview

General Information

Sample Name:Shipment Document BLINV and packing list.jpg.exe
Analysis ID:483300
MD5:df2413a552334b77e540bb8c69bf9763
SHA1:453f88a44b3966a97fc4005a0b6edf894cdc8d41
SHA256:434e6827ed58ffd66a28619822626816559605a4e5d7c7cfe8770d3af043527d
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Found potential dummy code loops (likely to delay analysis)
Uses an obfuscated file name to hide its real file extension (double extension)
Machine Learning detection for sample
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Creates processes with suspicious names
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/download?cid=3B15BFABEF8C3B91&resid=3B15BFABEF8C3B91%21114&authkey=ACvtKGWGCmNAnGw"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.423383815.00000000020A0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000015.00000002.733145322.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000000.00000002.423383815.00000000020A0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=3B15BFABEF8C3B91&resid=3B15BFABEF8C3B91%21114&authkey=ACvtKGWGCmNAnGw"}
      Multi AV Scanner detection for submitted fileShow sources
      Source: Shipment Document BLINV and packing list.jpg.exeReversingLabs: Detection: 42%
      Machine Learning detection for sampleShow sources
      Source: Shipment Document BLINV and packing list.jpg.exeJoe Sandbox ML: detected
      Source: Shipment Document BLINV and packing list.jpg.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: https://onedrive.live.com/download?cid=3B15BFABEF8C3B91&resid=3B15BFABEF8C3B91%21114&authkey=ACvtKGWGCmNAnGw
      Source: Shipment Document BLINV and packing list.jpg.exeString found in binary or memory: http://creativecommons.org/licenses/by-nc-sa/3.0/
      Source: Shipment Document BLINV and packing list.jpg.exe, 00000015.00000002.733145322.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=3B15BFABEF8C3B91&resid=3B15BFABEF8C3B91%21114&authkey=ACvtKGW

      System Summary:

      barindex
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Shipment Document BLINV and packing list.jpg.exe
      Executable has a suspicious name (potential lure to open the executable)Show sources
      Source: Shipment Document BLINV and packing list.jpg.exeStatic file information: Suspicious name
      Source: Shipment Document BLINV and packing list.jpg.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: Shipment Document BLINV and packing list.jpg.exe, 00000000.00000002.423114119.000000000041E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRECIPIENTKVALITETSPLANLGNINGEN.exe vs Shipment Document BLINV and packing list.jpg.exe
      Source: Shipment Document BLINV and packing list.jpg.exe, 00000015.00000000.422167592.000000000041E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRECIPIENTKVALITETSPLANLGNINGEN.exe vs Shipment Document BLINV and packing list.jpg.exe
      Source: Shipment Document BLINV and packing list.jpg.exeBinary or memory string: OriginalFilenameRECIPIENTKVALITETSPLANLGNINGEN.exe vs Shipment Document BLINV and packing list.jpg.exe
      Source: Shipment Document BLINV and packing list.jpg.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_004015740_2_00401574
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A8F410_2_020A8F41
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A6FBE0_2_020A6FBE
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A08AC0_2_020A08AC
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020ABD030_2_020ABD03
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A11600_2_020A1160
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5E010_2_020A5E01
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A3E040_2_020A3E04
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A361A0_2_020A361A
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A121B0_2_020A121B
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A16190_2_020A1619
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A0A140_2_020A0A14
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A56150_2_020A5615
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A32230_2_020A3223
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A1A260_2_020A1A26
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A0A250_2_020A0A25
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A3A330_2_020A3A33
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020ABE370_2_020ABE37
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A1E6C0_2_020A1E6C
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A62660_2_020A6266
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A3E640_2_020A3E64
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5E790_2_020A5E79
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AA6880_2_020AA688
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A0A8E0_2_020A0A8E
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5A830_2_020A5A83
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A3E840_2_020A3E84
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AA29B0_2_020AA29B
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AA29D0_2_020AA29D
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A56AB0_2_020A56AB
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AAEA00_2_020AAEA0
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020ABEB00_2_020ABEB0
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A62B60_2_020A62B6
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A36B50_2_020A36B5
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A16DA0_2_020A16DA
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A76DB0_2_020A76DB
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AB2DF0_2_020AB2DF
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AA2ED0_2_020AA2ED
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5B070_2_020A5B07
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A3B050_2_020A3B05
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A3F190_2_020A3F19
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5F2E0_2_020A5F2E
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A13210_2_020A1321
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A1F250_2_020A1F25
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020ABF310_2_020ABF31
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AA3470_2_020AA347
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A17590_2_020A1759
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A57590_2_020A5759
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AAF6D0_2_020AAF6D
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A63670_2_020A6367
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A1F990_2_020A1F99
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A3BA10_2_020A3BA1
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A27BA0_2_020A27BA
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A47BD0_2_020A47BD
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A27C00_2_020A27C0
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5FC40_2_020A5FC4
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A13DB0_2_020A13DB
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A17DE0_2_020A17DE
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A6FDD0_2_020A6FDD
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AAFE70_2_020AAFE7
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A47FA0_2_020A47FA
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AABF80_2_020AABF8
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A57FF0_2_020A57FF
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A342E0_2_020A342E
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AA42D0_2_020AA42D
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A14380_2_020A1438
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AAC5A0_2_020AAC5A
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5C500_2_020A5C50
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AB06B0_2_020AB06B
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A706F0_2_020A706F
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A54730_2_020A5473
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A34770_2_020A3477
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A488F0_2_020A488F
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A3C990_2_020A3C99
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A34910_2_020A3491
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A58A90_2_020A58A9
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A6CA50_2_020A6CA5
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A50BB0_2_020A50BB
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A34BB0_2_020A34BB
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A1CB90_2_020A1CB9
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A1CB10_2_020A1CB1
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AA4CE0_2_020AA4CE
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AA8DC0_2_020AA8DC
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A6CD60_2_020A6CD6
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AACE80_2_020AACE8
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A54EE0_2_020A54EE
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A50FF0_2_020A50FF
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A4CF20_2_020A4CF2
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A3CF00_2_020A3CF0
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5D0E0_2_020A5D0E
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A3D2B0_2_020A3D2B
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020ABD2F0_2_020ABD2F
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A75390_2_020A7539
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A19430_2_020A1943
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AAD5A0_2_020AAD5A
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A155B0_2_020A155B
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020ABD590_2_020ABD59
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A59510_2_020A5951
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A1D540_2_020A1D54
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A35650_2_020A3565
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020ABD7E0_2_020ABD7E
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A557C0_2_020A557C
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A758B0_2_020A758B
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A3D8F0_2_020A3D8F
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AA5800_2_020AA580
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A51860_2_020A5186
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A61850_2_020A6185
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A11920_2_020A1192
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5DAB0_2_020A5DAB
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A19A50_2_020A19A5
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AADCB0_2_020AADCB
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A11CF0_2_020A11CF
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A1DE60_2_020A1DE6
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A39FD0_2_020A39FD
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020ABDF70_2_020ABDF7
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A59F40_2_020A59F4
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005608AC21_2_005608AC
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056116021_2_00561160
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056BD0321_2_0056BD03
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00568F4121_2_00568F41
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00566FBE21_2_00566FBE
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00565C5021_2_00565C50
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056AC5A21_2_0056AC5A
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056347721_2_00563477
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056547321_2_00565473
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056706F21_2_0056706F
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056B06B21_2_0056B06B
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056143821_2_00561438
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056342E21_2_0056342E
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056A42D21_2_0056A42D
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00566CD621_2_00566CD6
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056A8DC21_2_0056A8DC
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056A4CE21_2_0056A4CE
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00564CF221_2_00564CF2
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00563CF021_2_00563CF0
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005650FF21_2_005650FF
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005654EE21_2_005654EE
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056ACE821_2_0056ACE8
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056349121_2_00563491
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00563C9921_2_00563C99
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056488F21_2_0056488F
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00561CB121_2_00561CB1
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005650BB21_2_005650BB
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005634BB21_2_005634BB
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00561CB921_2_00561CB9
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00566CA521_2_00566CA5
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005658A921_2_005658A9
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00561D5421_2_00561D54
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056595121_2_00565951
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056AD5A21_2_0056AD5A
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056155B21_2_0056155B
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056BD5921_2_0056BD59
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056194321_2_00561943
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056BD7E21_2_0056BD7E
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056557C21_2_0056557C
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056356521_2_00563565
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00565D0E21_2_00565D0E
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056753921_2_00567539
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056BD2F21_2_0056BD2F
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00563D2B21_2_00563D2B
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005611CF21_2_005611CF
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056ADCB21_2_0056ADCB
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056BDF721_2_0056BDF7
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005659F421_2_005659F4
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005639FD21_2_005639FD
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00561DE621_2_00561DE6
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056119221_2_00561192
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056518621_2_00565186
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056618521_2_00566185
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056A58021_2_0056A580
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00563D8F21_2_00563D8F
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056758B21_2_0056758B
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005619A521_2_005619A5
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00565DAB21_2_00565DAB
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00565E7921_2_00565E79
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056626621_2_00566266
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00563E6421_2_00563E64
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00561E6C21_2_00561E6C
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00560A1421_2_00560A14
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056561521_2_00565615
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056361A21_2_0056361A
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056121B21_2_0056121B
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056161921_2_00561619
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00563E0421_2_00563E04
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00565E0121_2_00565E01
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056BE3721_2_0056BE37
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00563A3321_2_00563A33
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00561A2621_2_00561A26
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00560A2521_2_00560A25
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056322321_2_00563223
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056B2DF21_2_0056B2DF
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005616DA21_2_005616DA
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005676DB21_2_005676DB
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056A2ED21_2_0056A2ED
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056A29D21_2_0056A29D
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056A29B21_2_0056A29B
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00563E8421_2_00563E84
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00565A8321_2_00565A83
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00560A8E21_2_00560A8E
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056A68821_2_0056A688
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005662B621_2_005662B6
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005636B521_2_005636B5
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056BEB021_2_0056BEB0
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056AEA021_2_0056AEA0
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005656AB21_2_005656AB
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056175921_2_00561759
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056575921_2_00565759
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056A34721_2_0056A347
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056636721_2_00566367
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056AF6D21_2_0056AF6D
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00563F1921_2_00563F19
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00565B0721_2_00565B07
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00563B0521_2_00563B05
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056BF3121_2_0056BF31
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00561F2521_2_00561F25
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056132121_2_00561321
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00565F2E21_2_00565F2E
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005617DE21_2_005617DE
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00566FDD21_2_00566FDD
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005613DB21_2_005613DB
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00565FC421_2_00565FC4
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005627C021_2_005627C0
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005657FF21_2_005657FF
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005647FA21_2_005647FA
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056ABF821_2_0056ABF8
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056AFE721_2_0056AFE7
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00561F9921_2_00561F99
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005647BD21_2_005647BD
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005627BA21_2_005627BA
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00563BA121_2_00563BA1
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A8F41 NtWriteVirtualMemory,0_2_020A8F41
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AB76A NtProtectVirtualMemory,0_2_020AB76A
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A6FBE NtWriteVirtualMemory,NtAllocateVirtualMemory,0_2_020A6FBE
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A1160 NtWriteVirtualMemory,TerminateProcess,0_2_020A1160
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5E01 NtWriteVirtualMemory,0_2_020A5E01
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5615 NtWriteVirtualMemory,0_2_020A5615
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A3223 NtWriteVirtualMemory,0_2_020A3223
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A6266 NtWriteVirtualMemory,0_2_020A6266
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5E79 NtWriteVirtualMemory,0_2_020A5E79
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5A83 NtWriteVirtualMemory,0_2_020A5A83
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AA29B NtWriteVirtualMemory,0_2_020AA29B
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A56AB NtWriteVirtualMemory,0_2_020A56AB
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A62B6 NtWriteVirtualMemory,0_2_020A62B6
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5B07 NtWriteVirtualMemory,0_2_020A5B07
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5F2E NtWriteVirtualMemory,0_2_020A5F2E
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AB731 NtProtectVirtualMemory,0_2_020AB731
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5759 NtWriteVirtualMemory,0_2_020A5759
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A6367 NtWriteVirtualMemory,0_2_020A6367
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5FC4 NtWriteVirtualMemory,0_2_020A5FC4
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A6FDD NtAllocateVirtualMemory,0_2_020A6FDD
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A57FF NtWriteVirtualMemory,0_2_020A57FF
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A6424 NtWriteVirtualMemory,0_2_020A6424
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5C50 NtWriteVirtualMemory,0_2_020A5C50
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A706F NtAllocateVirtualMemory,0_2_020A706F
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5473 NtWriteVirtualMemory,0_2_020A5473
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A648F NtWriteVirtualMemory,0_2_020A648F
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A58A9 NtWriteVirtualMemory,0_2_020A58A9
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A64DA NtWriteVirtualMemory,0_2_020A64DA
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AA8DC NtWriteVirtualMemory,0_2_020AA8DC
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A54EE NtWriteVirtualMemory,0_2_020A54EE
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5D0E NtWriteVirtualMemory,0_2_020A5D0E
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A652E NtWriteVirtualMemory,0_2_020A652E
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020ABD2F NtWriteVirtualMemory,K32GetDeviceDriverBaseNameA,0_2_020ABD2F
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A7120 NtAllocateVirtualMemory,0_2_020A7120
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5951 NtWriteVirtualMemory,0_2_020A5951
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A557C NtWriteVirtualMemory,0_2_020A557C
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A6185 NtWriteVirtualMemory,0_2_020A6185
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A5DAB NtWriteVirtualMemory,0_2_020A5DAB
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A39FD NtWriteVirtualMemory,0_2_020A39FD
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A59F4 NtWriteVirtualMemory,0_2_020A59F4
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00561160 NtProtectVirtualMemory,21_2_00561160
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056B76A NtProtectVirtualMemory,21_2_0056B76A
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00566FBE NtAllocateVirtualMemory,21_2_00566FBE
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056706F NtAllocateVirtualMemory,21_2_0056706F
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00561CB1 NtProtectVirtualMemory,21_2_00561CB1
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00561CB9 NtProtectVirtualMemory,21_2_00561CB9
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00561D54 NtProtectVirtualMemory,21_2_00561D54
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00567120 NtAllocateVirtualMemory,21_2_00567120
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00561DE6 NtProtectVirtualMemory,21_2_00561DE6
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056B731 NtProtectVirtualMemory,21_2_0056B731
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00566FDD NtAllocateVirtualMemory,21_2_00566FDD
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeProcess Stats: CPU usage > 98%
      Source: Shipment Document BLINV and packing list.jpg.exeReversingLabs: Detection: 42%
      Source: Shipment Document BLINV and packing list.jpg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exe 'C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exe'
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeProcess created: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exe 'C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exe'
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeProcess created: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exe 'C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exe' Jump to behavior
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
      Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@3/0@0/0

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000000.00000002.423383815.00000000020A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.733145322.0000000000560000.00000040.00000001.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_00417B80 push dword ptr [edi+000000BCh]; ret 0_2_0041858C
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_00407075 push esi; retf 0_2_0040707C
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_0040680F push esi; retf 0_2_00406810
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_00404410 pushfd ; retf 0_2_00404412
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_00406CF7 push es; iretd 0_2_00406CF8
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_004060FB push ebp; ret 0_2_004060FC
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_00405143 pushfd ; retf 0_2_00405144
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_00406D6F push es; iretd 0_2_00406D70
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_0040390D push esi; ret 0_2_00403914
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_004069D8 push ss; iretd 0_2_004069F8
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_0040398E push ds; iretd 0_2_004039BF
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_00404675 push eax; ret 0_2_0040467C
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_004046CF push eax; ret 0_2_004046E4
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_004046E5 push esi; ret 0_2_0040472D
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_004046ED push esi; ret 0_2_0040472D
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_0040570C push esi; retf 0_2_00405714
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_00407712 push ebp; retf 0_2_00407724
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_004047D8 push ebp; retf 0_2_004047DC
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_004067DB push es; iretd 0_2_004067DC
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_00407397 push esp; retf 0_2_00407398
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A8909 push esi; retf 0_2_020A890A
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A11CF push ecx; retf D4E7h0_2_020A11DA
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00568909 push esi; retf 21_2_0056890A
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005611CF push ecx; retf D4E7h21_2_005611DA
      Source: initial sampleStatic PE information: section name: .text entropy: 7.11463820938
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeFile created: \shipment document blinv and packing list.jpg.exe
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeFile created: \shipment document blinv and packing list.jpg.exeJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
      Source: Possible double extension: jpg.exeStatic PE information: Shipment Document BLINV and packing list.jpg.exe
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Shipment Document BLINV and packing list.jpg.exe, 00000000.00000002.423370081.0000000002080000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
      Source: Shipment Document BLINV and packing list.jpg.exe, 00000000.00000002.423370081.0000000002080000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exe TID: 5268Thread sleep count: 43 > 30Jump to behavior
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exe TID: 5268Thread sleep time: -43000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeLast function: Thread delayed
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AA089 rdtsc 0_2_020AA089
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeSystem information queried: ModuleInformationJump to behavior
      Source: Shipment Document BLINV and packing list.jpg.exe, 00000000.00000002.423370081.0000000002080000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
      Source: Shipment Document BLINV and packing list.jpg.exe, 00000000.00000002.423370081.0000000002080000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

      Anti Debugging:

      barindex
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeThread information set: HideFromDebuggerJump to behavior
      Found potential dummy code loops (likely to delay analysis)Show sources
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeProcess Stats: CPU usage > 90% for more than 60s
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A92F7 mov eax, dword ptr fs:[00000030h]0_2_020A92F7
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A6B21 mov eax, dword ptr fs:[00000030h]0_2_020A6B21
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A9B4D mov eax, dword ptr fs:[00000030h]0_2_020A9B4D
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A47BD mov eax, dword ptr fs:[00000030h]0_2_020A47BD
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A47FA mov eax, dword ptr fs:[00000030h]0_2_020A47FA
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AABF8 mov eax, dword ptr fs:[00000030h]0_2_020AABF8
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AA8DC mov eax, dword ptr fs:[00000030h]0_2_020AA8DC
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A39FD mov eax, dword ptr fs:[00000030h]0_2_020A39FD
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056A8DC mov eax, dword ptr fs:[00000030h]21_2_0056A8DC
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005639FD mov eax, dword ptr fs:[00000030h]21_2_005639FD
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005692F7 mov eax, dword ptr fs:[00000030h]21_2_005692F7
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00569B4D mov eax, dword ptr fs:[00000030h]21_2_00569B4D
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_00566B21 mov eax, dword ptr fs:[00000030h]21_2_00566B21
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005647FA mov eax, dword ptr fs:[00000030h]21_2_005647FA
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_0056ABF8 mov eax, dword ptr fs:[00000030h]21_2_0056ABF8
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 21_2_005647BD mov eax, dword ptr fs:[00000030h]21_2_005647BD
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeProcess queried: DebugPortJump to behavior
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020AA089 rdtsc 0_2_020AA089
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeCode function: 0_2_020A8049 LdrInitializeThunk,0_2_020A8049
      Source: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exeProcess created: C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exe 'C:\Users\user\Desktop\Shipment Document BLINV and packing list.jpg.exe' Jump to behavior
      Source: Shipment Document BLINV and packing list.jpg.exe, 00000015.00000002.733566511.0000000000FC0000.00000002.00020000.sdmpBinary or memory string: Program Manager
      Source: Shipment Document BLINV and packing list.jpg.exe, 00000015.00000002.733566511.0000000000FC0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: Shipment Document BLINV and packing list.jpg.exe, 00000015.00000002.733566511.0000000000FC0000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: Shipment Document BLINV and packing list.jpg.exe, 00000015.00000002.733566511.0000000000FC0000.00000002.00020000.sdmpBinary or memory string: Progmanlock

      Stealing of Sensitive Information:

      barindex
      GuLoader behavior detectedShow sources
      Source: Initial fileSignature Results: GuLoader behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Masquerading1OS Credential DumpingSecurity Software Discovery421Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion321LSASS MemoryVirtualization/Sandbox Evasion321Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSSystem Information Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information12LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.