Windows Analysis Report
shipping_documents.exe

Overview

General Information

Sample Name: shipping_documents.exe
Analysis ID: 830622
MD5: 5ec19c18eff49f78ce02e2cf1831c37d
SHA1: 9d7261d0e2558dd6bd26373c4e2421ad83af6b19
SHA256: ee9c3569905a2a2b5141982928e9205a99170189dab43f8626102e1a6dddbe4e
Tags: agentteslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: shipping_documents.exe ReversingLabs: Detection: 53%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe ReversingLabs: Detection: 53%
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe ReversingLabs: Detection: 53%
Machine Learning detection for sample
Source: shipping_documents.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Joe Sandbox ML: detected
Source: 5.2.vOqVEnqC.exe.4446b10.3.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.clipjoint.co.nz", "Username": "clipjoint@clipjoint.co.nz", "Password": "melandloz64"}
Uses 32bit PE files
Source: shipping_documents.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: shipping_documents.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: i2QOV.pdbx" source: shipping_documents.exe, vOqVEnqC.exe.0.dr, LIhMQ.exe.6.dr
Source: Binary string: i2QOV.pdb source: shipping_documents.exe, vOqVEnqC.exe.0.dr, LIhMQ.exe.6.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_0746F728
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 5_2_0791F5C8
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 5_2_0791FE40
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 27.54.86.236 27.54.86.236
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49699 -> 27.54.86.236:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49699 -> 27.54.86.236:587
Source: shipping_documents.exe, 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://MFxeXD.com
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: shipping_documents.exe, 00000006.00000002.590317910.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000003102000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.00000000031AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.clipjoint.co.nz
Source: shipping_documents.exe, 00000000.00000002.368254562.00000000075F1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000005.00000002.518134460.0000000003222000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: shipping_documents.exe, 00000000.00000002.350966478.0000000001117000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: shipping_documents.exe, 00000000.00000002.350966478.0000000001117000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comceF
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmp, shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: shipping_documents.exe, 00000000.00000003.304079093.000000000111D000.00000004.00000020.00020000.00000000.sdmp, shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: shipping_documents.exe, 00000000.00000003.304079093.000000000111D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.comcagE
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: vOqVEnqC.exe, 00000011.00000002.593114242.000000000315F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://RGpFrRyIJy6rRTyqEb.net
Source: shipping_documents.exe, 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%
Source: shipping_documents.exe, 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%mail.clipjoint.co.nzclipjoint
Source: shipping_documents.exe, 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: mail.clipjoint.co.nz

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Users\user\Desktop\shipping_documents.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\shipping_documents.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
Creates a DirectInput object (often for capturing keystrokes)
Source: shipping_documents.exe, 00000000.00000002.349816544.0000000000C38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\shipping_documents.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands
barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\shipping_documents.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.vOqVEnqC.exe.4446b10.3.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.2.vOqVEnqC.exe.4446b10.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 5.2.vOqVEnqC.exe.4446b10.3.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 5.2.vOqVEnqC.exe.4446b10.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.shipping_documents.exe.39e5ac0.3.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.shipping_documents.exe.39e5ac0.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000006.00000002.579676048.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: shipping_documents.exe PID: 64, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: vOqVEnqC.exe PID: 1248, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: shipping_documents.exe PID: 1544, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: shipping_documents.exe
Uses 32bit PE files
Source: shipping_documents.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 5.2.vOqVEnqC.exe.4446b10.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.2.vOqVEnqC.exe.4446b10.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 5.2.vOqVEnqC.exe.4446b10.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 5.2.vOqVEnqC.exe.4446b10.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.shipping_documents.exe.39e5ac0.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.shipping_documents.exe.39e5ac0.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000006.00000002.579676048.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: shipping_documents.exe PID: 64, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: vOqVEnqC.exe PID: 1248, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: shipping_documents.exe PID: 1544, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Detected potential crypto function
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_00BCC504 0_2_00BCC504
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_00BCE7F8 0_2_00BCE7F8
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_00BCE7E8 0_2_00BCE7E8
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_0746BD70 0_2_0746BD70
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07467CA8 0_2_07467CA8
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07460040 0_2_07460040
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07467810 0_2_07467810
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07466F60 0_2_07466F60
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07469F18 0_2_07469F18
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07467F18 0_2_07467F18
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07466F24 0_2_07466F24
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07467F28 0_2_07467F28
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07462FA8 0_2_07462FA8
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07462FB8 0_2_07462FB8
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07463600 0_2_07463600
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07463610 0_2_07463610
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07461E28 0_2_07461E28
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07461E38 0_2_07461E38
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07463420 0_2_07463420
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07463430 0_2_07463430
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07467C97 0_2_07467C97
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07468BCF 0_2_07468BCF
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07468BE0 0_2_07468BE0
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07461392 0_2_07461392
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_074613A0 0_2_074613A0
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_0746BA80 0_2_0746BA80
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_074641C3 0_2_074641C3
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_074641C8 0_2_074641C8
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07463190 0_2_07463190
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_074631A0 0_2_074631A0
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07460006 0_2_07460006
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07467802 0_2_07467802
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_0746C018 0_2_0746C018
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_02F3E7F8 5_2_02F3E7F8
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_02F3E7E8 5_2_02F3E7E8
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_02F3C504 5_2_02F3C504
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07917CA8 5_2_07917CA8
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_0791BCE0 5_2_0791BCE0
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07910040 5_2_07910040
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_0791BF88 5_2_0791BF88
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07912FB8 5_2_07912FB8
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07912FA8 5_2_07912FA8
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07919F18 5_2_07919F18
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07917F18 5_2_07917F18
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07916F24 5_2_07916F24
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07917F28 5_2_07917F28
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07916F60 5_2_07916F60
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07913610 5_2_07913610
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07913600 5_2_07913600
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07911E38 5_2_07911E38
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07911E28 5_2_07911E28
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07917C97 5_2_07917C97
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07913430 5_2_07913430
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07913420 5_2_07913420
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07911392 5_2_07911392
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_079113A0 5_2_079113A0
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07918BCF 5_2_07918BCF
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07918BE0 5_2_07918BE0
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07913190 5_2_07913190
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_079131A0 5_2_079131A0
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_079141C8 5_2_079141C8
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_0791B9F0 5_2_0791B9F0
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07914118 5_2_07914118
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07917810 5_2_07917810
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07917802 5_2_07917802
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07910006 5_2_07910006
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 6_2_0118F6E0 6_2_0118F6E0
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 6_2_0118FA28 6_2_0118FA28
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 6_2_062A8A84 6_2_062A8A84
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 6_2_062AA328 6_2_062AA328
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 6_2_062A3002 6_2_062A3002
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 6_2_062A8060 6_2_062A8060
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 6_2_062A0040 6_2_062A0040
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 6_2_062A61B0 6_2_062A61B0
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 6_2_062AB288 6_2_062AB288
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 6_2_062AB2F0 6_2_062AB2F0
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 6_2_062AA327 6_2_062AA327
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 6_2_062AE8DA 6_2_062AE8DA
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 6_2_0656DEC8 6_2_0656DEC8
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 6_2_0656C818 6_2_0656C818
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 6_2_0656ACF8 6_2_0656ACF8
Sample file is different than original file name gathered from version info
Source: shipping_documents.exe, 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename159a3513-189a-4a39-a83d-9c07ca495265.exe4 vs shipping_documents.exe
Source: shipping_documents.exe, 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs shipping_documents.exe
Source: shipping_documents.exe, 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamei2QOV.exe: vs shipping_documents.exe
Source: shipping_documents.exe, 00000000.00000002.349816544.0000000000C38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs shipping_documents.exe
Source: shipping_documents.exe, 00000000.00000002.368254562.00000000075F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename159a3513-189a-4a39-a83d-9c07ca495265.exe4 vs shipping_documents.exe
Source: shipping_documents.exe, 00000000.00000000.299936176.0000000000574000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamei2QOV.exe: vs shipping_documents.exe
Source: shipping_documents.exe, 00000000.00000002.362172177.00000000048D0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs shipping_documents.exe
Source: shipping_documents.exe, 00000006.00000002.581226304.00000000009E8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs shipping_documents.exe
Source: shipping_documents.exe Binary or memory string: OriginalFilenamei2QOV.exe: vs shipping_documents.exe
Source: shipping_documents.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vOqVEnqC.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: LIhMQ.exe.6.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: shipping_documents.exe ReversingLabs: Detection: 53%
Source: C:\Users\user\Desktop\shipping_documents.exe File read: C:\Users\user\Desktop\shipping_documents.exe Jump to behavior
Source: shipping_documents.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\shipping_documents.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\shipping_documents.exe C:\Users\user\Desktop\shipping_documents.exe
Source: C:\Users\user\Desktop\shipping_documents.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\shipping_documents.exe Process created: C:\Users\user\Desktop\shipping_documents.exe {path}
Source: C:\Users\user\Desktop\shipping_documents.exe Process created: C:\Users\user\Desktop\shipping_documents.exe {path}
Source: unknown Process created: C:\Users\user\AppData\Roaming\vOqVEnqC.exe C:\Users\user\AppData\Roaming\vOqVEnqC.exe
Source: C:\Users\user\Desktop\shipping_documents.exe Process created: C:\Users\user\Desktop\shipping_documents.exe {path}
Source: unknown Process created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe "C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe "C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe"
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmpE4E1.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path}
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path}
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp243C.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process created: C:\Users\user\AppData\Roaming\vOqVEnqC.exe {path}
Source: C:\Users\user\Desktop\shipping_documents.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process created: C:\Users\user\Desktop\shipping_documents.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process created: C:\Users\user\Desktop\shipping_documents.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process created: C:\Users\user\Desktop\shipping_documents.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp243C.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process created: C:\Users\user\AppData\Roaming\vOqVEnqC.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmpE4E1.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\shipping_documents.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\shipping_documents.exe File created: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe File created: C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.adwa.spyw.evad.winEXE@25/10@3/1
Source: C:\Users\user\Desktop\shipping_documents.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: shipping_documents.exe, 00000006.00000002.590317910.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.00000000030AB000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.000000000315A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: shipping_documents.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\shipping_documents.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6124:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_01
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Mutant created: \Sessions\1\BaseNamedObjects\KEXpxe
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:472:120:WilError_01
Source: shipping_documents.exe String found in binary or memory: WPlease check that the folder and files are in this location. If not, please uninstal and re-install the program. If this issue continues, please contact technical support.9\BlueSkyGlobal\UpdateImages\/Please insert your USB.
Source: C:\Users\user\Desktop\shipping_documents.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\shipping_documents.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: shipping_documents.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: shipping_documents.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: shipping_documents.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: i2QOV.pdbx" source: shipping_documents.exe, vOqVEnqC.exe.0.dr, LIhMQ.exe.6.dr
Source: Binary string: i2QOV.pdb source: shipping_documents.exe, vOqVEnqC.exe.0.dr, LIhMQ.exe.6.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 0_2_07461390 pushad ; iretd 0_2_07461391
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Code function: 5_2_07911390 pushad ; iretd 5_2_07911391
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 6_2_062A581A push FFFFFF8Bh; retf 6_2_062A581C
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 6_2_062A78D5 push eax; retf 6_2_062A78D7
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 6_2_062A71FD push cs; retf 8B05h 6_2_062A724E
Source: initial sample Static PE information: section name: .text entropy: 7.446877411021773
Source: initial sample Static PE information: section name: .text entropy: 7.446877411021773
Source: initial sample Static PE information: section name: .text entropy: 7.446877411021773
Drops PE files
Source: C:\Users\user\Desktop\shipping_documents.exe File created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Jump to dropped file
Source: C:\Users\user\Desktop\shipping_documents.exe File created: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\shipping_documents.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp
Source: C:\Users\user\Desktop\shipping_documents.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run LIhMQ Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run LIhMQ Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\shipping_documents.exe File opened: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe File opened: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: shipping_documents.exe PID: 64, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vOqVEnqC.exe PID: 1248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LIhMQ.exe PID: 244, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: shipping_documents.exe, 00000000.00000002.368254562.00000000078E1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000005.00000002.518134460.0000000003222000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: shipping_documents.exe, 00000000.00000002.368254562.00000000078E1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000005.00000002.518134460.0000000003222000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\shipping_documents.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\shipping_documents.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\shipping_documents.exe TID: 5880 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe TID: 4968 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe TID: 5800 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe TID: 4012 Thread sleep count: 9742 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe TID: 5928 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe TID: 5044 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe TID: 3804 Thread sleep count: 9448 > 30
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe TID: 5364 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe TID: 5416 Thread sleep count: 5854 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\shipping_documents.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\shipping_documents.exe Window / User API: threadDelayed 9742 Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Window / User API: threadDelayed 9448
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Window / User API: threadDelayed 5854
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\shipping_documents.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\shipping_documents.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\shipping_documents.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Thread delayed: delay time: 922337203685477
Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: LIhMQ.exe, 0000000E.00000002.637583427.0000000006D1F000.00000004.00000020.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000003.549988407.0000000006D14000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: vOqVEnqC.exe, 00000011.00000002.634694904.0000000006570000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\shipping_documents.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\shipping_documents.exe Code function: 6_2_062A2508 LdrInitializeThunk, 6_2_062A2508
Source: C:\Users\user\Desktop\shipping_documents.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\shipping_documents.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\shipping_documents.exe Memory written: C:\Users\user\Desktop\shipping_documents.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Memory written: C:\Users\user\AppData\Roaming\vOqVEnqC.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Memory written: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\shipping_documents.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process created: C:\Users\user\Desktop\shipping_documents.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process created: C:\Users\user\Desktop\shipping_documents.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Process created: C:\Users\user\Desktop\shipping_documents.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp243C.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Process created: C:\Users\user\AppData\Roaming\vOqVEnqC.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmpE4E1.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Process created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path} Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Users\user\Desktop\shipping_documents.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Queries volume information: C:\Users\user\AppData\Roaming\vOqVEnqC.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Users\user\Desktop\shipping_documents.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Queries volume information: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Queries volume information: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Queries volume information: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Queries volume information: C:\Users\user\AppData\Roaming\vOqVEnqC.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\shipping_documents.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\shipping_documents.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 5.2.vOqVEnqC.exe.4446b10.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vOqVEnqC.exe.4446b10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipping_documents.exe.39e5ac0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.590317910.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.591331951.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.593114242.000000000315F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: shipping_documents.exe PID: 64, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vOqVEnqC.exe PID: 1248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: shipping_documents.exe PID: 1544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LIhMQ.exe PID: 2280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vOqVEnqC.exe PID: 1324, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\shipping_documents.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\shipping_documents.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\shipping_documents.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Yara detected Credential Stealer
Source: Yara match File source: 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: shipping_documents.exe PID: 1544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LIhMQ.exe PID: 2280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vOqVEnqC.exe PID: 1324, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 5.2.vOqVEnqC.exe.4446b10.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vOqVEnqC.exe.4446b10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipping_documents.exe.39e5ac0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.590317910.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.591331951.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.593114242.000000000315F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: shipping_documents.exe PID: 64, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vOqVEnqC.exe PID: 1248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: shipping_documents.exe PID: 1544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: LIhMQ.exe PID: 2280, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vOqVEnqC.exe PID: 1324, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830622 Sample: shipping_documents.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 57 mail.clipjoint.co.nz 2->57 61 Malicious sample detected (through community Yara rule) 2->61 63 Sigma detected: Scheduled temp file as task from temp location 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 5 other signatures 2->67 8 shipping_documents.exe 6 2->8         started        12 LIhMQ.exe 5 2->12         started        14 vOqVEnqC.exe 5 2->14         started        16 LIhMQ.exe 2->16         started        signatures3 process4 file5 51 C:\Users\user\AppData\Roaming\vOqVEnqC.exe, PE32 8->51 dropped 53 C:\Users\user\AppData\Local\...\tmp3F0C.tmp, XML 8->53 dropped 55 C:\Users\user\...\shipping_documents.exe.log, ASCII 8->55 dropped 83 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->83 85 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->85 87 Uses schtasks.exe or at.exe to add and modify task schedules 8->87 18 shipping_documents.exe 2 5 8->18         started        23 schtasks.exe 1 8->23         started        25 shipping_documents.exe 8->25         started        27 shipping_documents.exe 8->27         started        89 Multi AV Scanner detection for dropped file 12->89 91 Machine Learning detection for dropped file 12->91 93 Injects a PE file into a foreign processes 12->93 29 LIhMQ.exe 12->29         started        31 schtasks.exe 12->31         started        33 LIhMQ.exe 12->33         started        35 vOqVEnqC.exe 14->35         started        37 schtasks.exe 14->37         started        signatures6 process7 dnsIp8 59 mail.clipjoint.co.nz 27.54.86.236, 587 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 18->59 45 C:\Users\user\AppData\Roaming\...\LIhMQ.exe, PE32 18->45 dropped 47 C:\Windows\System32\drivers\etc\hosts, ASCII 18->47 dropped 49 C:\Users\user\...\LIhMQ.exe:Zone.Identifier, ASCII 18->49 dropped 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->69 71 Tries to steal Mail credentials (via file / registry access) 18->71 73 Modifies the hosts file 18->73 39 conhost.exe 23->39         started        75 Tries to harvest and steal ftp login credentials 29->75 77 Tries to harvest and steal browser information (history, passwords, etc) 29->77 79 Installs a global keyboard hook 29->79 41 conhost.exe 31->41         started        81 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->81 43 conhost.exe 37->43         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
27.54.86.236
 mail.clipjoint.co.nz Australia
38719 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU false

Contacted Domains

Name IP Active
mail.clipjoint.co.nz 27.54.86.236 true