Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Overview

General Information

Sample Name:CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Analysis ID:736949
MD5:045f22ce9be3d33b07a00780ee66fcfd
SHA1:91b74e75d55c33d8d82b10bed51ca7d3ad80147c
SHA256:e05ec32c2edc10b6917a3cbcac9d823cb37db908cc51f3ec459800992e2b8b37
Infos:

Detection

GuLoader
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Executable has a suspicious name (potential lure to open the executable)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Sleep loop found (likely to delay execution)
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Creates a process in suspended mode (likely to inject code)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

  • System is w10x64native
  • CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe (PID: 4848 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 045F22CE9BE3D33B07A00780EE66FCFD)
    • dllhost.exe (PID: 2364 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
    • backgroundTaskHost.exe (PID: 4408 cmdline: "C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: DA7063B17DBB8BBB3015351016868006)
    • dllhost.exe (PID: 4508 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
    • BackgroundTransferHost.exe (PID: 4480 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: C5D813D92E83CDE3FECD9343933E3421)
    • BackgroundTransferHost.exe (PID: 5560 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: C5D813D92E83CDE3FECD9343933E3421)
    • ieinstal.exe (PID: 5400 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)
    • ieinstal.exe (PID: 1820 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)
    • ieinstal.exe (PID: 6908 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)
    • ieinstal.exe (PID: 1396 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)
    • ieinstal.exe (PID: 4268 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)
    • ieinstal.exe (PID: 4772 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)
    • ieinstal.exe (PID: 7620 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)
    • ieinstal.exe (PID: 6588 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)
    • ieinstal.exe (PID: 3156 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)
    • ieinstal.exe (PID: 5924 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)
    • ieinstal.exe (PID: 3988 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 7871873BABCEA94FBA13900B561C7C55)
    • ielowutil.exe (PID: 7732 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)
    • ielowutil.exe (PID: 4760 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)
    • ielowutil.exe (PID: 7756 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)
    • ielowutil.exe (PID: 4612 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)
    • ielowutil.exe (PID: 3852 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)
    • ielowutil.exe (PID: 6596 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)
    • ielowutil.exe (PID: 6516 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)
    • ielowutil.exe (PID: 7348 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)
    • ielowutil.exe (PID: 7808 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)
    • ielowutil.exe (PID: 7380 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 650FE7460630188008BF8C8153526CEB)
    • ExtExport.exe (PID: 5404 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)
    • ExtExport.exe (PID: 7588 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)
    • ExtExport.exe (PID: 5708 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)
    • ExtExport.exe (PID: 8104 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)
    • ExtExport.exe (PID: 1160 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)
    • ExtExport.exe (PID: 6700 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)
    • ExtExport.exe (PID: 6248 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)
    • ExtExport.exe (PID: 5524 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)
    • ExtExport.exe (PID: 5904 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 3253FD643C51C133C3489A146781913B)
    • backgroundTaskHost.exe (PID: 5840 cmdline: "C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: DA7063B17DBB8BBB3015351016868006)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000002.00000002.110030353777.0000000002B90000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BestyrelsesformandenJump to behavior
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_0040676F FindFirstFileW,FindClose,2_2_0040676F
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_00405B23 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,2_2_00405B23
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_00402902 FindFirstFileW,2_2_00402902
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile opened: C:\Users\userJump to behavior
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile opened: C:\Users\user\AppDataJump to behavior
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr306
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr606
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
    Source: imprbeacons.dat.~tmp.4.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Events/Impression=&PID=400089837&TID=700129702&CID=12800000000040292
    Source: e9594213-9e57-49dd-91fb-0ee2aae6c086.56802ae0-e7ec-49c1-9ab4-e41cf1ffbd66.down_meta.7.dr, aa790838-db48-4eec-9b8a-be8242eb173a.56802ae0-e7ec-49c1-9ab4-e41cf1ffbd66.down_meta.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4XJ8e?ver=993fLast-Mo
    Source: fce64348-a319-4f43-89cb-85a2ff3766b6.5e70bb71-9767-4cfd-9295-d09782f797ca.down_meta.7.dr, dd6a1354-220a-435c-9960-7f2e2f731c6f.5e70bb71-9767-4cfd-9295-d09782f797ca.down_meta.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Y3Xg?ver=4bf1Content
    Source: 8086b025-ce16-4435-9cc3-d2a0f33fe026.efb8d39c-14d5-4f68-9688-1978db758a90.down_meta.7.dr, 585053d0-ba98-49e5-b1a4-c6f5d9974c26.efb8d39c-14d5-4f68-9688-1978db758a90.down_meta.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Ysjy?ver=4a06Content
    Source: 4aa5b1fb-1301-4194-8203-1cbb67304ae7.e160842f-d7d2-487c-becb-ff7f735e3216.down_meta.7.dr, b554ff5d-428f-46a5-8fa9-db35cc2cdf59.e160842f-d7d2-487c-becb-ff7f735e3216.down_meta.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4YzZS?ver=7b46Content
    Source: 8d48d2a6-6a56-420d-bb18-5dfe26c1259c.c22ac765-aa10-4c35-8f7c-a01d4239152c.down_meta.7.dr, f9e08879-735a-4e9f-beea-148234195053.c22ac765-aa10-4c35-8f7c-a01d4239152c.down_meta.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWEDKu?ver=7737Content-
    Source: 3843bffb-4eef-4da1-af04-618c0facc656.e7219a3a-5edb-4393-8e4b-a78a641e7e36.down_meta.7.dr, 0f40a9a4-7ba9-4798-b98b-f18214009bbd.e7219a3a-5edb-4393-8e4b-a78a641e7e36.down_meta.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWEyIE?ver=7beaLast-Mod
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeString found in binary or memory: https://www.globalsign.com/repository/0
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_004055B8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,2_2_004055B8

    System Summary

    barindex
    Source: initial sampleStatic PE information: Filename: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeStatic file information: Suspicious name
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Windows\System32\dllhost.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Windows\System32\BackgroundTransferHost.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Windows\System32\BackgroundTransferHost.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: edgegdi.dll
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_004034C5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,2_2_004034C5
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_004074582_2_00407458
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_00406C812_2_00406C81
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_73841B5F2_2_73841B5F
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02BA5E2E2_2_02BA5E2E
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02BA709F2_2_02BA709F
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02BA9A9D2_2_02BA9A9D
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02BA5C892_2_02BA5C89
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02B936F62_2_02B936F6
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02BA76EE2_2_02BA76EE
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02B934E52_2_02B934E5
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02BA88D22_2_02BA88D2
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02B93ACC2_2_02B93ACC
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02BA72232_2_02BA7223
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02BA8C762_2_02BA8C76
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02BA844B2_2_02BA844B
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02BA75B82_2_02BA75B8
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02BA5FA72_2_02BA5FA7
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02B96B992_2_02B96B99
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02B925932_2_02B92593
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02B963972_2_02B96397
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02BA7D892_2_02BA7D89
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02B96BFD2_2_02B96BFD
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02B96BF62_2_02B96BF6
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02B943EE2_2_02B943EE
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02BA7BE02_2_02BA7BE0
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02B96BE22_2_02B96BE2
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02B961382_2_02B96138
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02B9333A2_2_02B9333A
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02BA63342_2_02BA6334
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02B931232_2_02B93123
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02B93F222_2_02B93F22
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02B903182_2_02B90318
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02BA851B2_2_02BA851B
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02B9310D2_2_02B9310D
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02B961762_2_02B96176
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02BA596B2_2_02BA596B
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02B931532_2_02B93153
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02B963552_2_02B96355
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02B965562_2_02B96556
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02B943472_2_02B94347
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeStatic PE information: invalid certificate
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 2_2_02BA871D NtProtectVirtualMemory,2_2_02BA871D
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile read: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeJump to behavior
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeProcess created: C:\Windows\System32\backgroundTaskHost.exe "C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-029939