Windows Analysis Report
Original Shipment_Document.PDF.exe

Overview

General Information

Sample Name: Original Shipment_Document.PDF.exe
Analysis ID: 679174
MD5: 626cdeaa4696c819fd07921073f6c740
SHA1: b094f5e4c3792a05b7f307ad78d2e52cfcbf87b4
SHA256: d8519cee2bbf5c257375b339d530b33f275db40c06de0f96911eb5b4f207f2c5
Tags: exeguloader
Infos:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Mass process execution to delay analysis
Obfuscated command line found
Tries to detect virtualization through RDTSC time measurements
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses an obfuscated file name to hide its real file extension (double extension)
Uses 32bit PE files
PE file contains strange resources
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Too many similar processes found
PE / OLE file has an invalid certificate
Contains functionality to dynamically determine API calls
Creates a process in suspended mode (likely to inject code)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Original Shipment_Document.PDF.exe Virustotal: Detection: 32% Perma Link
Source: Original Shipment_Document.PDF.exe ReversingLabs: Detection: 22%
Source: 00000000.00000002.520490666.00000000030F0000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2r"}
Uses 32bit PE files
Source: Original Shipment_Document.PDF.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Original Shipment_Document.PDF.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C13
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Code function: 0_2_0040683D FindFirstFileW,FindClose, 0_2_0040683D
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2r
Source: Original Shipment_Document.PDF.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Code function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004056A8
Too many similar processes found
Source: Conhost.exe Process created: 58
Source: cmd.eXe Process created: 116

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Original Shipment_Document.PDF.exe
Executable has a suspicious name (potential lure to open the executable)
Source: Original Shipment_Document.PDF.exe Static file information: Suspicious name
Uses 32bit PE files
Source: Original Shipment_Document.PDF.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
PE file contains strange resources
Source: Original Shipment_Document.PDF.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
Detected potential crypto function
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Code function: 0_2_00406BFE 0_2_00406BFE
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Code function: 0_2_6EAC1BFF 0_2_6EAC1BFF
PE / OLE file has an invalid certificate
Source: Original Shipment_Document.PDF.exe Static PE information: invalid certificate
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process Stats: CPU usage > 98%
Source: Original Shipment_Document.PDF.exe Virustotal: Detection: 32%
Source: Original Shipment_Document.PDF.exe ReversingLabs: Detection: 22%
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe File read: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Jump to behavior
Source: Original Shipment_Document.PDF.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe "C:\Users\user\Desktop\Original Shipment_Document.PDF.exe"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x49796569^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307571^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216D75^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09703C6B^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7578^962155845"
Source: C:\Windows\System32\Conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0363032C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B2D2024^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x55183929^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x563A7D2C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5079653D^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0D697C35^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6478^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4D1F3C29^962155845"
Source: C:\Windows\System32\Conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x572D3037^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x11307537^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0C75752C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19686375^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697569^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A64721C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630720^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x583D132C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x553C7D2C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7965^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x50792774^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697C2C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6678^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4C2A3037^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x49796569^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307571^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216D75^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09703C6B^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0363032C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B2D2024^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x55183929^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x563A7D2C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5079653D^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0D697C35^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6478^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x572D3037^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x11307537^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0C75752C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19686375^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697569^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A64721C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630720^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x583D132C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x553C7D2C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7965^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x50792774^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697C2C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6678^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4C2A3037^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe File created: C:\Users\user\AppData\Local\Temp\nsf495B.tmp Jump to behavior
Source: classification engine Classification label: mal84.troj.evad.winEXE@185/6@0/0
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Code function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404954
Source: Original Shipment_Document.PDF.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.520490666.00000000030F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Obfuscated command line found
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x49796569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307571^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216D75^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09703C6B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7578^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0363032C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B2D2024^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x55183929^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x563A7D2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5079653D^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0D697C35^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6478^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4D1F3C29^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x572D3037^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x11307537^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0C75752C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19686375^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A64721C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630720^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x583D132C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x553C7D2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7965^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x50792774^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697C2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6678^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4C2A3037^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x49796569^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307571^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216D75^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09703C6B^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0363032C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B2D2024^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x55183929^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x563A7D2C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5079653D^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0D697C35^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6478^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x572D3037^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x11307537^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0C75752C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19686375^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697569^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A64721C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630720^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x583D132C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x553C7D2C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7965^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x50792774^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697C2C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6678^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4C2A3037^962155845" Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Code function: 0_2_6EAC30C0 push eax; ret 0_2_6EAC30EE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Code function: 0_2_6EAC1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_6EAC1BFF
Drops PE files
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe File created: C:\Users\user\AppData\Local\Temp\nse53EC.tmp\nsExec.dll Jump to dropped file
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe File created: C:\Users\user\AppData\Local\Temp\nse53EC.tmp\System.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: Original Shipment_Document.PDF.exe
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Mass process execution to delay analysis
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe RDTSC instruction interceptor: First address: 00000000030F265F second address: 00000000030F265F instructions: 0x00000000 rdtsc 0x00000002 cmp ch, bh 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FC308EAEAB8h 0x00000008 pushad 0x00000009 mov al, A5h 0x0000000b cmp al, A5h 0x0000000d jne 00007FC308EC080Dh 0x00000013 popad 0x00000014 inc ebp 0x00000015 test ah, ch 0x00000017 inc ebx 0x00000018 test ecx, ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C13
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Code function: 0_2_0040683D FindFirstFileW,FindClose, 0_2_0040683D
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Code function: 0_2_6EAC1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_6EAC1BFF
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x49796569^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307571^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216D75^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09703C6B^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0363032C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B2D2024^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x55183929^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x563A7D2C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5079653D^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0D697C35^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6478^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x572D3037^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x11307537^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0C75752C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19686375^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697569^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A64721C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630720^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x583D132C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x553C7D2C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7965^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x50792774^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697C2C^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6678^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4C2A3037^962155845" Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679174 Sample: Original Shipment_Document.... Startdate: 05/08/2022 Architecture: WINDOWS Score: 84 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected GuLoader 2->52 54 Uses an obfuscated file name to hide its real file extension (double extension) 2->54 56 6 other signatures 2->56 8 Original Shipment_Document.PDF.exe 30 2->8         started        process3 file4 46 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->46 dropped 48 C:\Users\user\AppData\Local\...\System.dll, PE32 8->48 dropped 58 Obfuscated command line found 8->58 12 cmd.eXe 8->12         started        14 cmd.eXe 8->14         started        16 cmd.eXe 8->16         started        18 61 other processes 8->18 signatures5 process6 process7 20 Conhost.exe 12->20         started        22 Conhost.exe 12->22         started        24 Conhost.exe 14->24         started        26 Conhost.exe 14->26         started        34 2 other processes 16->34 28 Conhost.exe 18->28         started        30 Conhost.exe 18->30         started        32 Conhost.exe 18->32         started        36 51 other processes 18->36 process8 38 Conhost.exe 20->38         started        40 Conhost.exe 20->40         started        42 Conhost.exe 20->42         started        44 Conhost.exe 24->44         started       
No contacted IP infos