Edit tour

Windows Analysis Report
Original Shipment_Document.PDF.exe

Overview

General Information

Sample Name:	Original Shipment_Document.PDF.exe
Analysis ID:	679174
MD5:	626cdeaa4696c819fd07921073f6c740
SHA1:	b094f5e4c3792a05b7f307ad78d2e52cfcbf87b4
SHA256:	d8519cee2bbf5c257375b339d530b33f275db40c06de0f96911eb5b4f207f2c5
Tags:	exeguloader
Infos:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Initial sample is a PE file and has a suspicious name

Mass process execution to delay analysis

Obfuscated command line found

Tries to detect virtualization through RDTSC time measurements

Executable has a suspicious name (potential lure to open the executable)

C2 URLs / IPs found in malware configuration

Uses an obfuscated file name to hide its real file extension (double extension)

Uses 32bit PE files

PE file contains strange resources

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Too many similar processes found

PE / OLE file has an invalid certificate

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

Original Shipment_Document.PDF.exe (PID: 3516 cmdline: "C:\Users\user\Desktop\Original Shipment_Document.PDF.exe" MD5: 626CDEAA4696C819FD07921073F6C740)

cmd.eXe (PID: 5672 cmdline: cmd.eXe /c SeT /a "0x721C070B^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 5656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 4668 cmdline: cmd.eXe /c SeT /a "0x7C156677^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 4552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Conhost.exe (PID: 5076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 2980 cmdline: cmd.eXe /c SeT /a "0x03631637^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 2952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Conhost.exe (PID: 5636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Conhost.exe (PID: 1428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Conhost.exe (PID: 5884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Conhost.exe (PID: 3720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 5736 cmdline: cmd.eXe /c SeT /a "0x5C382120^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 5764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 5628 cmdline: cmd.eXe /c SeT /a "0x7F303920^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 5692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 3204 cmdline: cmd.eXe /c SeT /a "0x78713865^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 5920 cmdline: cmd.eXe /c SeT /a "0x4B6D7569^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 6024 cmdline: cmd.eXe /c SeT /a "0x19307575^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 6112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 2996 cmdline: cmd.eXe /c SeT /a "0x41616575^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 6004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 6080 cmdline: cmd.eXe /c SeT /a "0x09696575^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 5096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 4668 cmdline: cmd.eXe /c SeT /a "0x0975752C^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.eXe (PID: 2980 cmdline: cmd.eXe /c SeT /a "0x19697965^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.eXe (PID: 5696 cmdline: cmd.eXe /c SeT /a "0x49796569^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 1104 cmdline: cmd.eXe /c SeT /a "0x19307571^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 5752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 5772 cmdline: cmd.eXe /c SeT /a "0x15793C65^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 6012 cmdline: cmd.eXe /c SeT /a "0x09216D75^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 6044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 6124 cmdline: cmd.eXe /c SeT /a "0x15793C65^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 6112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 5892 cmdline: cmd.eXe /c SeT /a "0x09703C6B^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 2344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 5640 cmdline: cmd.eXe /c SeT /a "0x4B6C7578^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.eXe (PID: 2216 cmdline: cmd.eXe /c SeT /a "0x721C070B^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 2236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 5464 cmdline: cmd.eXe /c SeT /a "0x7C156677^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 1464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Conhost.exe (PID: 344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 1220 cmdline: cmd.eXe /c SeT /a "0x0363032C^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 4264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 6040 cmdline: cmd.eXe /c SeT /a "0x4B2D2024^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 6044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 5144 cmdline: cmd.eXe /c SeT /a "0x55183929^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 6056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 2196 cmdline: cmd.eXe /c SeT /a "0x563A7D2C^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 5524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 6088 cmdline: cmd.eXe /c SeT /a "0x09753C65^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 1428 cmdline: cmd.eXe /c SeT /a "0x09216475^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 3920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Conhost.exe (PID: 5920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 4700 cmdline: cmd.eXe /c SeT /a "0x09696575^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 2244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 5128 cmdline: cmd.eXe /c SeT /a "0x15793C65^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 6044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 6088 cmdline: cmd.eXe /c SeT /a "0x09216675^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.eXe (PID: 1428 cmdline: cmd.eXe /c SeT /a "0x09697965^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.eXe (PID: 4588 cmdline: cmd.eXe /c SeT /a "0x5079653D^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 1892 cmdline: cmd.eXe /c SeT /a "0x0D697C35^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 3920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 5828 cmdline: cmd.eXe /c SeT /a "0x172B6478^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 5784 cmdline: cmd.eXe /c SeT /a "0x721C070B^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 6044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 2536 cmdline: cmd.eXe /c SeT /a "0x7C156677^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 4588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 6108 cmdline: cmd.eXe /c SeT /a "0x03630620^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 6136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Conhost.exe (PID: 4412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 2952 cmdline: cmd.eXe /c SeT /a "0x4D1F3C29^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.eXe (PID: 5312 cmdline: cmd.eXe /c SeT /a "0x5C093A2C^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 5828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 5888 cmdline: cmd.eXe /c SeT /a "0x572D3037^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 5124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 2644 cmdline: cmd.eXe /c SeT /a "0x11307537^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 2944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 1296 cmdline: cmd.eXe /c SeT /a "0x0C75752C^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 1428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 4596 cmdline: cmd.eXe /c SeT /a "0x19686375^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 5856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 4812 cmdline: cmd.eXe /c SeT /a "0x09697569^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 3416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 2660 cmdline: cmd.eXe /c SeT /a "0x19307575^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 5788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 3280 cmdline: cmd.eXe /c SeT /a "0x15307575^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 6108 cmdline: cmd.eXe /c SeT /a "0x10307B37^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.eXe (PID: 5184 cmdline: cmd.eXe /c SeT /a "0x0A64721C^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 4400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 6028 cmdline: cmd.eXe /c SeT /a "0x721C070B^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 2944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 2952 cmdline: cmd.eXe /c SeT /a "0x7C156677^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.eXe (PID: 3400 cmdline: cmd.eXe /c SeT /a "0x03630720^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 6116 cmdline: cmd.eXe /c SeT /a "0x583D132C^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 2788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 1524 cmdline: cmd.eXe /c SeT /a "0x553C7D2C^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 4504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 4532 cmdline: cmd.eXe /c SeT /a "0x4B6C7965^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 3812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 908 cmdline: cmd.eXe /c SeT /a "0x50792774^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 4708 cmdline: cmd.eXe /c SeT /a "0x15793C65^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 1332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 1128 cmdline: cmd.eXe /c SeT /a "0x09216475^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 3876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 4920 cmdline: cmd.eXe /c SeT /a "0x09696575^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 4916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 5464 cmdline: cmd.eXe /c SeT /a "0x15733C65^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.eXe (PID: 4336 cmdline: cmd.eXe /c SeT /a "0x0975752C^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 4412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 4712 cmdline: cmd.eXe /c SeT /a "0x19697C2C^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 2988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 4600 cmdline: cmd.eXe /c SeT /a "0x172B6678^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 2644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 4772 cmdline: cmd.eXe /c SeT /a "0x4C2A3037^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

Conhost.exe (PID: 3212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.eXe (PID: 2952 cmdline: cmd.eXe /c SeT /a "0x0A6B6F7F^962155845" MD5: F3BDBE3BB6F734E357235F4D5898582D)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2r"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.520490666.00000000030F0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Original Shipment_Document.PDF.exe	Virustotal: Detection: 32%			Perma Link
Source: Original Shipment_Document.PDF.exe	ReversingLabs: Detection: 22%

Source: 00000000.00000002.520490666.00000000030F0000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2r"}

Source: Original Shipment_Document.PDF.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Original Shipment_Document.PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 0_2_0040683D FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 0_2_0040290B FindFirstFileW,

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1RTjXzM3oLxMQRuQuQg9TR4kX_hPJtp2r

Source: Original Shipment_Document.PDF.exe

String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

Source: Conhost.exe	Process created: 58
Source: cmd.eXe	Process created: 116

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Original Shipment_Document.PDF.exe

Executable has a suspicious name (potential lure to open the executable)

Source: Original Shipment_Document.PDF.exe

Static file information: Suspicious name

Source: Original Shipment_Document.PDF.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Original Shipment_Document.PDF.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 0_2_00406BFE
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 0_2_6EAC1BFF

Source: Original Shipment_Document.PDF.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Process Stats: CPU usage > 98%

Source: Original Shipment_Document.PDF.exe	Virustotal: Detection: 32%
Source: Original Shipment_Document.PDF.exe	ReversingLabs: Detection: 22%

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

File read: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Jump to behavior

Source: Original Shipment_Document.PDF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe "C:\Users\user\Desktop\Original Shipment_Document.PDF.exe"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x49796569^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307571^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216D75^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09703C6B^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7578^962155845"
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0363032C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B2D2024^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x55183929^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x563A7D2C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5079653D^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0D697C35^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6478^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4D1F3C29^962155845"
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x572D3037^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x11307537^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0C75752C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19686375^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697569^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A64721C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630720^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x583D132C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x553C7D2C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7965^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x50792774^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697C2C^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6678^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4C2A3037^962155845"
Source: C:\Windows\SysWOW64\cmd.eXe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x49796569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307571^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216D75^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09703C6B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0363032C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B2D2024^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x55183929^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x563A7D2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5079653D^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0D697C35^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6478^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x572D3037^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x11307537^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0C75752C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19686375^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A64721C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630720^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x583D132C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x553C7D2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7965^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x50792774^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697C2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6678^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4C2A3037^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

File created: C:\Users\user\AppData\Local\Temp\nsf495B.tmp

Jump to behavior

Source: classification engine

Classification label: mal84.troj.evad.winEXE@185/6@0/0

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 0_2_004021AA CoCreateInstance,

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

Source: Original Shipment_Document.PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.520490666.00000000030F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Obfuscated command line found

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x49796569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307571^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216D75^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09703C6B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7578^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0363032C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B2D2024^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x55183929^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x563A7D2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5079653D^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0D697C35^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6478^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4D1F3C29^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x572D3037^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x11307537^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0C75752C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19686375^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A64721C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630720^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x583D132C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x553C7D2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7965^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x50792774^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697C2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6678^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4C2A3037^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x49796569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307571^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216D75^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09703C6B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0363032C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B2D2024^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x55183929^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x563A7D2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5079653D^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0D697C35^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6478^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x572D3037^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x11307537^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0C75752C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19686375^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A64721C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630720^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x583D132C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x553C7D2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7965^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x50792774^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697C2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6678^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4C2A3037^962155845"

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 0_2_6EAC30C0 push eax; ret

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 0_2_6EAC1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	File created: C:\Users\user\AppData\Local\Temp\nse53EC.tmp\nsExec.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	File created: C:\Users\user\AppData\Local\Temp\nse53EC.tmp\System.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: Original Shipment_Document.PDF.exe

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Mass process execution to delay analysis

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

RDTSC instruction interceptor: First address: 00000000030F265F second address: 00000000030F265F instructions: 0x00000000 rdtsc 0x00000002 cmp ch, bh 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FC308EAEAB8h 0x00000008 pushad 0x00000009 mov al, A5h 0x0000000b cmp al, A5h 0x0000000d jne 00007FC308EC080Dh 0x00000013 popad 0x00000014 inc ebp 0x00000015 test ah, ch 0x00000017 inc ebx 0x00000018 test ecx, ecx 0x0000001a rdtsc

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 0_2_0040683D FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Code function: 0_2_0040290B FindFirstFileW,

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Code function: 0_2_6EAC1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C382120^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7F303920^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x78713865^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6D7569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x41616575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03631637^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x49796569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307571^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216D75^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09703C6B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0363032C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B2D2024^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x55183929^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x563A7D2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09753C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5079653D^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0D697C35^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6478^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x5C093A2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x572D3037^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x11307537^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0C75752C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19686375^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09697569^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15307575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630620^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0A64721C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x721C070B^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x03630720^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x583D132C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x553C7D2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4B6C7965^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x50792774^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x15793C65^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09216475^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x09696575^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x7C156677^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x0975752C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x19697C2C^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x172B6678^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\SysWOW64\cmd.eXe cmd.eXe /c SeT /a "0x4C2A3037^962155845"
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\Original Shipment_Document.PDF.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Command and Scripting Interpreter	Path Interception	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Access Token Manipulation	LSASS Memory	1 Time Based Evasion	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Time Based Evasion	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Original Shipment_Document.PDF.exe	32%	Virustotal		Browse
Original Shipment_Document.PDF.exe	22%	ReversingLabs	Win32.Trojan.Guloader

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nse53EC.tmp\System.dll	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nse53EC.tmp\System.dll	3%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nse53EC.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nse53EC.tmp\nsExec.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nse53EC.tmp\nsExec.dll	4%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nse53EC.tmp\nsExec.dll	0%	ReversingLabs

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	Original Shipment_Document.PDF.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679174
Start date and time: 05/08/202211:23:09	2022-08-05 11:23:09 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 6s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Original Shipment_Document.PDF.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	149
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@185/6@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 62.9% (good quality ratio 61.7%) Quality average: 88.6% Quality standard deviation: 21.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Process:	C:\Users\user\Desktop\Original Shipment_Document.PDF.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 1%, Browse Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nse53EC.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\Original Shipment_Document.PDF.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	5.298362543684714
Encrypted:	false
SSDEEP:	96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW
MD5:	675C4948E1EFC929EDCABFE67148EDDD
SHA1:	F5BDD2C4329ED2732ECFE3423C3CC482606EB28E
SHA-256:	1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
SHA-512:	61737021F86F54279D0A4E35DB0D0808E9A55D89784A31D597F2E4B65B7BBEEC99AA6C79D65258259130EEDA2E5B2820F4F1247777A3010F2DC53E30C612A683
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 4%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\timelrer\Tdlen\Integrationsprvens.Adg72

Download File

Process:	C:\Users\user\Desktop\Original Shipment_Document.PDF.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	56802
Entropy (8bit):	3.999776572782735
Encrypted:	false
SSDEEP:	1536:MiSOEpxqtPV0vXzt3Ov2Kh2+ir/qY3TAK7tgjofP:QpeSPztK2YVK7iE
MD5:	7C22C978F9497BB753456B3AA833F7DE
SHA1:	5566F37ED12035AD659E8E71B09A46FC3A907D27
SHA-256:	8126292C7A2EE04C5D5286BCD0584CF8FF39745F17E28DE70A72CBF1EBCA900B
SHA-512:	C33B835EFC5EB8C19A6429E588D8BD6BBD6C26DA379B7F24A6322CDF09094DF777C7C1DBB0B41E43EE5F24D5A11374E2D95135E70EC4285C0C28A8D3F764424B
Malicious:	false
Preview:	751B5626ED1D59DCECA17FC07B6590E02267FE3B2CD7A757A3164D2442E94F22E7417624324FB00CADEF5E125A7A344E60BED74BC30F36CD1FC851B3AD4732C6EA226EB072F8E714BFA6387A8D207880017E9AC6FEEBE6A73C2845B2010C4322E8DC529575F955085F49CFD5389BA20DB5FE9CCA8B739E136A7672B5D2F4472D326B8961AC7A1D2BE941B3207256738921359864F7DCD7AEC49C3C1E7CC69AF9A2AF9CB338F2002503BA46ECAC9CB7044F3290D90BAC2852B3BB0083DC03E4D5EBA5CEA9D0A787F3862CCD2C6EC3325DEACC5CB5818C829C68E98E4C9833F007B86693B4C6776056B342C33E34C5201C378F536C73A444DA46B37933404F6CDE80F0FF3BEE724769B921E9A924F35714874EB7DC63C16604B0487C1A2F1D201C1C8B5CD77378607E2DF7037056A2043753275C1A55BA8CD1CFEC4571E57D5A2331ED816A72AD23FF030A715BC4CDEF157B56B25E576F4F59EB903849D9446368C20AC6283FDD2627141ED25B1A794C55D1FDD15E1F6F5B78A58957BA7871754426D16868771513FAD305AEA8DD85058FC14F2437A34BBC4DEBA70E52D1ACE512EA32218DFED4211F0B5EA40ECD74C2062AA179E6DD0BBE910ADAA8CC1974916BD62BE762ED036F9C2A8BDF043DBB4411C94797F2B82DE9BA0A257AC9E7458DE83CC1AAF0A8D0249200F483B276BFE5D91DFE0787

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\timelrer\Tdlen\format-text-bold-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\Original Shipment_Document.PDF.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1330
Entropy (8bit):	4.276818433927216
Encrypted:	false
SSDEEP:	24:2dPnnxu3tlACrmYbJ1BtxhUuLos3CrmYbJ1qtxhUuLosN:cfnz6XXNUuLos36XcNUuLosN
MD5:	B0BE3814C6303C5B8C080D654FDF2EA7
SHA1:	8231CACDA98442D068D80EC063CE75DC05AE7A2E
SHA-256:	4A71E8903E3673A98AB8D8BAC7579F7EA2D8C016ADC7ABC6EA23F5565D8643DA
SHA-512:	62F55F19DFE1A8D9B12CD4968401CA19ED332298FBA3ED9DCF714F5E41BA41ED1F8DE07F9F55C90E6B461B73A5F34C2E9C4F505B736960BE814ACB3779F6937A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<svg height="16px" viewBox="0 0 16 16" width="16px" xmlns="http://www.w3.org/2000/svg">. <g fill="#2e3436">. <path d="m 5 3 v 2 h 6 c 0.429688 0 1 0.613281 1 1 v 1 h -5 c -0.917969 0 -1.734375 0.378906 -2.25 0.964844 c -0.515625 0.585937 -0.742188 1.324218 -0.738281 2.046875 c 0.007812 0.71875 0.246093 1.445312 0.757812 2.027343 c 0.515625 0.578126 1.320313 0.960938 2.230469 0.960938 h 7 v -7 c 0 -1.632812 -1.320312 -3 -3 -3 z m 2 6 h 5 v 2 h -5 c -0.398438 0 -0.578125 -0.117188 -0.730469 -0.289062 c -0.152343 -0.167969 -0.253906 -0.441407 -0.257812 -0.722657 c 0 -0.277343 0.09375 -0.539062 0.238281 -0.703125 c 0.148438 -0.164062 0.328125 -0.285156 0.75 -0.285156 z m 0 0"/>. <path d="m 4 3 v 2 h 5 c 0.429688 0 1 0.613281 1 1 v 1 h -5 c -0.917969 0 -1.734375 0.378906 -2.25 0.964844 c -0.515625 0.585937 -0.742188 1.324218 -0.738281 2.046875 c 0.007812 0.71875 0.246093 1.445312 0.757812 2.027343 c 0.515625 0.578126 1.320313 0.960938

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\timelrer\Tdlen\location-services-disabled-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\Original Shipment_Document.PDF.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	285
Entropy (8bit):	7.002882763277556
Encrypted:	false
SSDEEP:	6:6v/lhPysuci+aOXTk585U+UliBie7cQkF2HTtWAJdp:6v/7Oci+aOogUVli9AZWBz
MD5:	91B30844C5145188A9DCE697271B8BCF
SHA1:	69C3F0AFA91A3E725A26017EC282499152500DC9
SHA-256:	3B79DEE63724F1BAFFB1E51D55CB96CEB2849C0536000BE3A6C848CE36230049
SHA-512:	6AAF7F986B121484A96B3C85CA382A471DC2B6CFC87C7D7C1838714217C17199649A98825AFF70E62CD0DC2E9C6A3DDF41E4CC743CD44977A452F494340BD7C7
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...1J.A........Q...!.I....V.B:.Li.5.F0'.Hi'X.....h.op\t...S..vwh...t..a...^1B/C..2....:Y..W.E.Kl`.W.......@......w..s&..x..V*.Y3..c.\|e.......%.......y..).y8P#c..3.xL..`..c..{......S...R.1.~.....di....W-z._.....IEND.B`.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\timelrer\Tdlen\uforfrdetheden.Rid

Download File

Process:	C:\Users\user\Desktop\Original Shipment_Document.PDF.exe
File Type:	data
Category:	dropped
Size (bytes):	99762
Entropy (8bit):	7.345890691572136
Encrypted:	false
SSDEEP:	1536:C42UhrrhyVKSRG5jbu3E4CIJB8SkPoVcrlCDh4AusPrji0Dz:GG0KSRCnu3E9qdbos94AuuPP/
MD5:	251EE827C992B4E481634030C2E681F3
SHA1:	88065FA2EDAE7B94B6891675DF8A9028DC5F28E6
SHA-256:	E9DD8E6A46B89E22E83743D0578339458E7C2CE719BFF5FDD9FDC66652DB161A
SHA-512:	6042BAD2119F19C0355DC43C7CC0F03A5943C524252DC7F0DA0FF4ED254D9486EC3C485BBF0D8010CF5CBF2A22B5F2BFFA8247D87EEFFEF91A72B891FCFAD49D
Malicious:	false
Preview:	Y.!&.Z....o.....-....D....8.)8E^.+.....a..7..[?cH.Y...d..[....2R.&..f.....,t.y.OO..q.>..@.%..r...h,.N.~xh......&..{.....6.pR2cM...tM8X.1....q.......;).../0.u...f}...j}.3......+[._.`VS..U+!yoY........?R...Z..X.i...o....O.}...9.`F.e>~.%...E..Z...(?...........j..^zC.>...\.n.3."f....V;......,....&...-.#...,c....\3Z......}^!..[A....Y.U./Rz....a.....\|......:5p...._.[...g....B&.-....T.WF..dY..^.Z..W/.......M.V. ......:I...A.........{.5.....2f5A......W.p.T..9K..n3.Js..N<.L.W...=Hv.8Q.d.(.H!`k.aO....Y....s....l.1.A`H.P<u.Z4..).0.n.......M/GL..JjD.;.P.... .;.H..h.7D.\|..e..(._WTD......:<J^..a....Eq]}.f....t...J&.:d+t......5.)]'.ww..`.A...q....!.....Y..7...X.p.y.D...].y...P.=pc..V&T. `W}B.....%..D."...P....#..,...:.&."4$1..e.9Z......F2."mTM....~...g.....c..%".T...q..$_l...#j..:t...."...t=.e.....@.U.i.U..Bj.....E#...~.r.<....,.UP5t..@e....G....H......7Ye..i......^......9..4C.o.3..F'..A..e..=.u..Bw.6S..^..]..v..&.....<)$On.UxV5.+:..vh....a.q..R...e

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.715600015491742
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Original Shipment_Document.PDF.exe
File size:	341696
MD5:	626cdeaa4696c819fd07921073f6c740
SHA1:	b094f5e4c3792a05b7f307ad78d2e52cfcbf87b4
SHA256:	d8519cee2bbf5c257375b339d530b33f275db40c06de0f96911eb5b4f207f2c5
SHA512:	2cbfa1d322bd8b6bd861c97f43ef4778a6ef2fb86b718f2571b54f1ce5874afbdf3a9e1728986c7593eb7f48b2defcff624ac467a5ff2677d9036093edaf88f0
SSDEEP:	6144:JNeZc5FBkXpIwbmr2KEROaPdEY8mff3PgRsmq:JNRTr2KEROoT8mfH+q
TLSH:	9F741AC1E199FCD5C428007659B9E521251BAB6EF0B8493B396A7519B0FF383607BE0F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................f...*.....

Entrypoint:	0x4034f7
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9AE5 [Sat Sep 25 21:55:49 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Signature Valid:	false
Signature Issuer:	CN="Slnggrebets Buginese Itemizer ", OU="Louped Estes ", E=Kodeskrifter@Blakkers.For, O=Kedging, L=Bury, S=England, C=GB
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	9/30/2021 7:49:03 AM 9/29/2024 7:49:03 AM
Subject Chain	CN="Slnggrebets Buginese Itemizer ", OU="Louped Estes ", E=Kodeskrifter@Blakkers.For, O=Kedging, L=Bury, S=England, C=GB
Version:	3
Thumbprint MD5:	9531A5E4D76383B4586733B6369AA05A
Thumbprint SHA-1:	EB1025208E0319CC8EEFE675D7F0134D108F989B
Thumbprint SHA-256:	1860FBBE1C07E5046864295E0AE0BA476642D85716E6DDB0C4D6E2BF3405DB86
Serial:	2A16DD32E2795EBB

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0x2eec8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x52fb0	0x710	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6515	0x6600	False	0.6615349264705882	data	6.439707948554623	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x139a	0x1400	False	0.45	data	5.145774564074664	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20338	0x600	False	0.4993489583333333	data	4.013698650446401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x27000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x52000	0x2eec8	0x2f000	False	0.3425500748005319	data	5.305541691795029	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country
RT_ICON	0x52340	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x62b68	0x94a8	data	English	United States
RT_ICON	0x6c010	0x6cb4	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x72cc8	0x5488	data	English	United States
RT_ICON	0x78150	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 1056964608	English	United States
RT_ICON	0x7c378	0x25a8	data	English	United States
RT_ICON	0x7e920	0x10a8	data	English	United States
RT_ICON	0x7f9c8	0x988	data	English	United States
RT_ICON	0x80350	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x807b8	0x100	data	English	United States
RT_DIALOG	0x808b8	0x11c	data	English	United States
RT_DIALOG	0x809d8	0xc4	data	English	United States
RT_DIALOG	0x80aa0	0x60	data	English	United States
RT_GROUP_ICON	0x80b00	0x84	data	English	United States
RT_MANIFEST	0x80b88	0x33e	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Target ID:	0
Start time:	11:24:13
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\Original Shipment_Document.PDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Original Shipment_Document.PDF.exe"
Imagebase:	0x400000
File size:	341696 bytes
MD5 hash:	626CDEAA4696C819FD07921073F6C740
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.520490666.00000000030F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Target ID:	1
Start time:	11:24:16
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.eXe
Wow64 process (32bit):
Commandline:	cmd.eXe /c SeT /a "0x721C070B^962155845"
Imagebase:
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	2
Start time:	11:24:17
Start date:	05/08/2022
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	4
Start time:	11:24:18
Start date:	05/08/2022
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	8
Start time:	11:24:19
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.eXe
Wow64 process (32bit):
Commandline:	cmd.eXe /c SeT /a "0x5C382120^962155845"
Imagebase:
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	11
Start time:	11:24:20
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.eXe
Wow64 process (32bit):
Commandline:	cmd.eXe /c SeT /a "0x7F303920^962155845"
Imagebase:
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Target ID:	15
Start time:	11:24:21
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.eXe
Wow64 process (32bit):
Commandline:	cmd.eXe /c SeT /a "0x4B6D7569^962155845"
Imagebase:
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Target ID:	19
Start time:	11:24:22
Start date:	05/08/2022
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Target ID:	23
Start time:	11:24:23
Start date:	05/08/2022
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Target ID:	26
Start time:	11:24:24
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.eXe
Wow64 process (32bit):
Commandline:	cmd.eXe /c SeT /a "0x19697965^962155845"
Imagebase:
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Target ID:	29
Start time:	11:24:25
Start date:	05/08/2022
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Target ID:	32
Start time:	11:24:26
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.eXe
Wow64 process (32bit):
Commandline:	cmd.eXe /c SeT /a "0x15793C65^962155845"
Imagebase:
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Target ID:	34
Start time:	11:24:27
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.eXe
Wow64 process (32bit):
Commandline:	cmd.eXe /c SeT /a "0x09216D75^962155845"
Imagebase:
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Original Shipment_Document.PDF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nse53EC.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nse53EC.tmp\nsExec.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\timelrer\Tdlen\Integrationsprvens.Adg72

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\timelrer\Tdlen\format-text-bold-symbolic.svg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\timelrer\Tdlen\location-services-disabled-symbolic.symbolic.png

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\timelrer\Tdlen\uforfrdetheden.Rid

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
Original Shipment_Document.PDF.exe

Target ID:	35
Start time:	11:24:28
Start date:	05/08/2022
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Target ID:	36
Start time:	11:24:30
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.eXe
Wow64 process (32bit):
Commandline:	cmd.eXe /c SeT /a "0x15793C65^962155845"
Imagebase:
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Target ID:	37
Start time:	11:24:32
Start date:	05/08/2022
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Target ID:	40
Start time:	11:24:33
Start date:	05/08/2022
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Target ID:	43
Start time:	11:24:34
Start date:	05/08/2022
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Target ID:	45
Start time:	11:24:35
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.eXe
Wow64 process (32bit):
Commandline:	cmd.eXe /c SeT /a "0x721C070B^962155845"
Imagebase:
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Target ID:	49
Start time:	11:24:36
Start date:	05/08/2022
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Target ID:	54
Start time:	11:24:37
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.eXe
Wow64 process (32bit):
Commandline:	cmd.eXe /c SeT /a "0x4B2D2024^962155845"
Imagebase:
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Target ID:	57
Start time:	11:24:38
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.eXe
Wow64 process (32bit):
Commandline:	cmd.eXe /c SeT /a "0x55183929^962155845"
Imagebase:
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language

Target ID:	62
Start time:	11:24:39
Start date:	05/08/2022
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language