Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
shipping_documents.exe

Overview

General Information

Sample Name:shipping_documents.exe
Analysis ID:830622
MD5:5ec19c18eff49f78ce02e2cf1831c37d
SHA1:9d7261d0e2558dd6bd26373c4e2421ad83af6b19
SHA256:ee9c3569905a2a2b5141982928e9205a99170189dab43f8626102e1a6dddbe4e
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • shipping_documents.exe (PID: 64 cmdline: C:\Users\user\Desktop\shipping_documents.exe MD5: 5EC19C18EFF49F78CE02E2CF1831C37D)
    • schtasks.exe (PID: 6132 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • vOqVEnqC.exe (PID: 1248 cmdline: C:\Users\user\AppData\Roaming\vOqVEnqC.exe MD5: 5EC19C18EFF49F78CE02E2CF1831C37D)
    • schtasks.exe (PID: 4436 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp243C.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • vOqVEnqC.exe (PID: 1324 cmdline: {path} MD5: 5EC19C18EFF49F78CE02E2CF1831C37D)
  • LIhMQ.exe (PID: 244 cmdline: "C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe" MD5: 5EC19C18EFF49F78CE02E2CF1831C37D)
    • schtasks.exe (PID: 5968 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmpE4E1.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • LIhMQ.exe (PID: 4544 cmdline: {path} MD5: 5EC19C18EFF49F78CE02E2CF1831C37D)
    • LIhMQ.exe (PID: 2280 cmdline: {path} MD5: 5EC19C18EFF49F78CE02E2CF1831C37D)
  • LIhMQ.exe (PID: 2852 cmdline: "C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe" MD5: 5EC19C18EFF49F78CE02E2CF1831C37D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.clipjoint.co.nz", "Username": "clipjoint@clipjoint.co.nz", "Password": "melandloz64"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.590317910.0000000002E49000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000006.00000002.579676048.0000000000430000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
    • 0x1f7c:$a13: get_DnsResolver
    • 0x71d:$a20: get_LastAccessed
    • 0x824:$a33: get_Clipboard
    • 0x832:$a34: get_Keyboard
    • 0x1b97:$a35: get_ShiftKeyDown
    • 0x1ba8:$a36: get_AltKeyDown
    • 0x83f:$a37: get_Password
    • 0x132f:$a38: get_PasswordHash
    00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
        • 0x30c8c:$a13: get_DnsResolver
        • 0x650ac:$a13: get_DnsResolver
        • 0x2f42d:$a20: get_LastAccessed
        • 0x6384d:$a20: get_LastAccessed
        • 0x3161e:$a27: set_InternalServerPort
        • 0x65a3e:$a27: set_InternalServerPort
        • 0x3193b:$a30: set_GuidMasterKey
        • 0x65d5b:$a30: set_GuidMasterKey
        • 0x2f534:$a33: get_Clipboard
        • 0x63954:$a33: get_Clipboard
        • 0x2f542:$a34: get_Keyboard
        • 0x63962:$a34: get_Keyboard
        • 0x308a7:$a35: get_ShiftKeyDown
        • 0x64cc7:$a35: get_ShiftKeyDown
        • 0x308b8:$a36: get_AltKeyDown
        • 0x64cd8:$a36: get_AltKeyDown
        • 0x2f54f:$a37: get_Password
        • 0x6396f:$a37: get_Password
        • 0x3003f:$a38: get_PasswordHash
        • 0x6445f:$a38: get_PasswordHash
        • 0x31089:$a39: get_DefaultCredentials
        Click to see the 26 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.vOqVEnqC.exe.4446b10.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          5.2.vOqVEnqC.exe.4446b10.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            5.2.vOqVEnqC.exe.4446b10.3.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
            • 0x30c63:$s10: logins
            • 0x306bf:$s11: credential
            • 0x2cc24:$g1: get_Clipboard
            • 0x2cc32:$g2: get_Keyboard
            • 0x2cc3f:$g3: get_Password
            • 0x2df87:$g4: get_CtrlKeyDown
            • 0x2df97:$g5: get_ShiftKeyDown
            • 0x2dfa8:$g6: get_AltKeyDown
            5.2.vOqVEnqC.exe.4446b10.3.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
            • 0x2e37c:$a13: get_DnsResolver
            • 0x2cb1d:$a20: get_LastAccessed
            • 0x2ed0e:$a27: set_InternalServerPort
            • 0x2f02b:$a30: set_GuidMasterKey
            • 0x2cc24:$a33: get_Clipboard
            • 0x2cc32:$a34: get_Keyboard
            • 0x2df97:$a35: get_ShiftKeyDown
            • 0x2dfa8:$a36: get_AltKeyDown
            • 0x2cc3f:$a37: get_Password
            • 0x2d72f:$a38: get_PasswordHash
            • 0x2e779:$a39: get_DefaultCredentials
            5.2.vOqVEnqC.exe.4446b10.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 12 entries

              Sigma Signatures

              Persistence and Installation Behavior

              barindex
              Sigma detected: Scheduled temp file as task from temp location
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\shipping_documents.exe, ParentImage: C:\Users\user\Desktop\shipping_documents.exe, ParentProcessId: 64, ParentProcessName: shipping_documents.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp, ProcessId: 6132, ProcessName: schtasks.exe

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: shipping_documents.exeReversingLabs: Detection: 53%
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeReversingLabs: Detection: 53%
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeReversingLabs: Detection: 53%
              Machine Learning detection for sample
              Source: shipping_documents.exeJoe Sandbox ML: detected
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeJoe Sandbox ML: detected
              Source: 5.2.vOqVEnqC.exe.4446b10.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.clipjoint.co.nz", "Username": "clipjoint@clipjoint.co.nz", "Password": "melandloz64"}
              Source: shipping_documents.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: shipping_documents.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: i2QOV.pdbx" source: shipping_documents.exe, vOqVEnqC.exe.0.dr, LIhMQ.exe.6.dr
              Source: Binary string: i2QOV.pdb source: shipping_documents.exe, vOqVEnqC.exe.0.dr, LIhMQ.exe.6.dr
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
              Source: Joe Sandbox ViewIP Address: 27.54.86.236 27.54.86.236
              Source: global trafficTCP traffic: 192.168.2.5:49699 -> 27.54.86.236:587
              Source: global trafficTCP traffic: 192.168.2.5:49699 -> 27.54.86.236:587
              Source: shipping_documents.exe, 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
              Source: vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://MFxeXD.com
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
              Source: shipping_documents.exe, 00000006.00000002.590317910.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000003102000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.00000000031AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.clipjoint.co.nz
              Source: shipping_documents.exe, 00000000.00000002.368254562.00000000075F1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000005.00000002.518134460.0000000003222000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: shipping_documents.exe, 00000000.00000002.350966478.0000000001117000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
              Source: shipping_documents.exe, 00000000.00000002.350966478.0000000001117000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comceF
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmp, shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: shipping_documents.exe, 00000000.00000003.304079093.000000000111D000.00000004.00000020.00020000.00000000.sdmp, shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: shipping_documents.exe, 00000000.00000003.304079093.000000000111D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comcagE
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: vOqVEnqC.exe, 00000011.00000002.593114242.000000000315F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://RGpFrRyIJy6rRTyqEb.net
              Source: shipping_documents.exe, 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
              Source: shipping_documents.exe, 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%mail.clipjoint.co.nzclipjoint
              Source: shipping_documents.exe, 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
              Source: unknownDNS traffic detected: queries for: mail.clipjoint.co.nz

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Users\user\Desktop\shipping_documents.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\shipping_documents.exe
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
              Source: shipping_documents.exe, 00000000.00000002.349816544.0000000000C38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
              Source: C:\Users\user\Desktop\shipping_documents.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWindow created: window name: CLIPBRDWNDCLASS

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Modifies the hosts file
              Source: C:\Users\user\Desktop\shipping_documents.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 5.2.vOqVEnqC.exe.4446b10.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 5.2.vOqVEnqC.exe.4446b10.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 5.2.vOqVEnqC.exe.4446b10.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 5.2.vOqVEnqC.exe.4446b10.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 0.2.shipping_documents.exe.39e5ac0.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 0.2.shipping_documents.exe.39e5ac0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 00000006.00000002.579676048.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: Process Memory Space: shipping_documents.exe PID: 64, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: Process Memory Space: vOqVEnqC.exe PID: 1248, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: Process Memory Space: shipping_documents.exe PID: 1544, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: shipping_documents.exe
              Source: shipping_documents.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: 5.2.vOqVEnqC.exe.4446b10.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 5.2.vOqVEnqC.exe.4446b10.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 5.2.vOqVEnqC.exe.4446b10.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 5.2.vOqVEnqC.exe.4446b10.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 0.2.shipping_documents.exe.39e5ac0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 0.2.shipping_documents.exe.39e5ac0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 00000006.00000002.579676048.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: Process Memory Space: shipping_documents.exe PID: 64, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: Process Memory Space: vOqVEnqC.exe PID: 1248, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: Process Memory Space: shipping_documents.exe PID: 1544, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_00BCC504
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_00BCE7F8
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_00BCE7E8
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_0746BD70
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07467CA8
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07460040
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07467810
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07466F60
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07469F18
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07467F18
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07466F24
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07467F28
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07462FA8
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07462FB8
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07463600
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07463610
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07461E28
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07461E38
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07463420
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07463430
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07467C97
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07468BCF
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07468BE0
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07461392
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_074613A0
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_0746BA80
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_074641C3
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_074641C8
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07463190
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_074631A0
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07460006
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07467802
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_0746C018
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_02F3E7F8
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_02F3E7E8
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_02F3C504
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07917CA8
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_0791BCE0
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07910040
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_0791BF88
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07912FB8
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07912FA8
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07919F18
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07917F18
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07916F24
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07917F28
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07916F60
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07913610
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07913600
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07911E38
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07911E28
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07917C97
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07913430
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07913420
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07911392
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_079113A0
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07918BCF
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07918BE0
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07913190
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_079131A0
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_079141C8
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_0791B9F0
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07914118
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07917810
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07917802
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07910006
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_0118F6E0
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_0118FA28
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062A8A84
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062AA328
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062A3002
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062A8060
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062A0040
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062A61B0
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062AB288
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062AB2F0
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062AA327
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062AE8DA
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_0656DEC8
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_0656C818
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_0656ACF8
              Source: shipping_documents.exe, 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename159a3513-189a-4a39-a83d-9c07ca495265.exe4 vs shipping_documents.exe
              Source: shipping_documents.exe, 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs shipping_documents.exe
              Source: shipping_documents.exe, 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamei2QOV.exe: vs shipping_documents.exe
              Source: shipping_documents.exe, 00000000.00000002.349816544.0000000000C38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs shipping_documents.exe
              Source: shipping_documents.exe, 00000000.00000002.368254562.00000000075F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename159a3513-189a-4a39-a83d-9c07ca495265.exe4 vs shipping_documents.exe
              Source: shipping_documents.exe, 00000000.00000000.299936176.0000000000574000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamei2QOV.exe: vs shipping_documents.exe
              Source: shipping_documents.exe, 00000000.00000002.362172177.00000000048D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs shipping_documents.exe
              Source: shipping_documents.exe, 00000006.00000002.581226304.00000000009E8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs shipping_documents.exe
              Source: shipping_documents.exeBinary or memory string: OriginalFilenamei2QOV.exe: vs shipping_documents.exe
              Source: shipping_documents.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: vOqVEnqC.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: LIhMQ.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: shipping_documents.exeReversingLabs: Detection: 53%
              Source: C:\Users\user\Desktop\shipping_documents.exeFile read: C:\Users\user\Desktop\shipping_documents.exeJump to behavior
              Source: shipping_documents.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\shipping_documents.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Users\user\Desktop\shipping_documents.exe C:\Users\user\Desktop\shipping_documents.exe
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Users\user\Desktop\shipping_documents.exe {path}
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Users\user\Desktop\shipping_documents.exe {path}
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\vOqVEnqC.exe C:\Users\user\AppData\Roaming\vOqVEnqC.exe
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Users\user\Desktop\shipping_documents.exe {path}
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe "C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe "C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe"
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmpE4E1.tmp
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path}
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path}
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp243C.tmp
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess created: C:\Users\user\AppData\Roaming\vOqVEnqC.exe {path}
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Users\user\Desktop\shipping_documents.exe {path}
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Users\user\Desktop\shipping_documents.exe {path}
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Users\user\Desktop\shipping_documents.exe {path}
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp243C.tmp
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess created: C:\Users\user\AppData\Roaming\vOqVEnqC.exe {path}
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmpE4E1.tmp
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path}
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path}
              Source: C:\Users\user\Desktop\shipping_documents.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
              Source: C:\Users\user\Desktop\shipping_documents.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\shipping_documents.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\shipping_documents.exeFile created: C:\Users\user\AppData\Roaming\vOqVEnqC.exeJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3F0C.tmpJump to behavior
              Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@25/10@3/1
              Source: C:\Users\user\Desktop\shipping_documents.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: shipping_documents.exe, 00000006.00000002.590317910.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.00000000030AB000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.000000000315A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: shipping_documents.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\shipping_documents.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\shipping_documents.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6124:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_01
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeMutant created: \Sessions\1\BaseNamedObjects\KEXpxe
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:472:120:WilError_01
              Source: shipping_documents.exeString found in binary or memory: WPlease check that the folder and files are in this location. If not, please uninstal and re-install the program. If this issue continues, please contact technical support.9\BlueSkyGlobal\UpdateImages\/Please insert your USB.
              Source: C:\Users\user\Desktop\shipping_documents.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\Desktop\shipping_documents.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: C:\Users\user\Desktop\shipping_documents.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: shipping_documents.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: shipping_documents.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: shipping_documents.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: i2QOV.pdbx" source: shipping_documents.exe, vOqVEnqC.exe.0.dr, LIhMQ.exe.6.dr
              Source: Binary string: i2QOV.pdb source: shipping_documents.exe, vOqVEnqC.exe.0.dr, LIhMQ.exe.6.dr
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 0_2_07461390 pushad ; iretd
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeCode function: 5_2_07911390 pushad ; iretd
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062A581A push FFFFFF8Bh; retf
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062A78D5 push eax; retf
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062A71FD push cs; retf 8B05h
              Source: initial sampleStatic PE information: section name: .text entropy: 7.446877411021773
              Source: initial sampleStatic PE information: section name: .text entropy: 7.446877411021773
              Source: initial sampleStatic PE information: section name: .text entropy: 7.446877411021773
              Source: C:\Users\user\Desktop\shipping_documents.exeFile created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeJump to dropped file
              Source: C:\Users\user\Desktop\shipping_documents.exeFile created: C:\Users\user\AppData\Roaming\vOqVEnqC.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp
              Source: C:\Users\user\Desktop\shipping_documents.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run LIhMQJump to behavior
              Source: C:\Users\user\Desktop\shipping_documents.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run LIhMQJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)
              Source: C:\Users\user\Desktop\shipping_documents.exeFile opened: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe:Zone.Identifier read attributes | delete
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeFile opened: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe:Zone.Identifier read attributes | delete
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: shipping_documents.exe PID: 64, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vOqVEnqC.exe PID: 1248, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: LIhMQ.exe PID: 244, type: MEMORYSTR
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: shipping_documents.exe, 00000000.00000002.368254562.00000000078E1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000005.00000002.518134460.0000000003222000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: shipping_documents.exe, 00000000.00000002.368254562.00000000078E1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000005.00000002.518134460.0000000003222000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\shipping_documents.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\shipping_documents.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\Desktop\shipping_documents.exe TID: 5880Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe TID: 4968Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\shipping_documents.exe TID: 5800Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\shipping_documents.exe TID: 4012Thread sleep count: 9742 > 30
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe TID: 5928Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe TID: 5044Thread sleep time: -2767011611056431s >= -30000s
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe TID: 3804Thread sleep count: 9448 > 30
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe TID: 5364Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exe TID: 5416Thread sleep count: 5854 > 30
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\shipping_documents.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\shipping_documents.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\shipping_documents.exeWindow / User API: threadDelayed 9742
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWindow / User API: threadDelayed 9448
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeWindow / User API: threadDelayed 5854
              Source: C:\Users\user\Desktop\shipping_documents.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\shipping_documents.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\shipping_documents.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeThread delayed: delay time: 922337203685477
              Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
              Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
              Source: LIhMQ.exe, 0000000E.00000002.637583427.0000000006D1F000.00000004.00000020.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000003.549988407.0000000006D14000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
              Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
              Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
              Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
              Source: LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: vOqVEnqC.exe, 00000011.00000002.634694904.0000000006570000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\shipping_documents.exeCode function: 6_2_062A2508 LdrInitializeThunk,
              Source: C:\Users\user\Desktop\shipping_documents.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Modifies the hosts file
              Source: C:\Users\user\Desktop\shipping_documents.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\shipping_documents.exeMemory written: C:\Users\user\Desktop\shipping_documents.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeMemory written: C:\Users\user\AppData\Roaming\vOqVEnqC.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeMemory written: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Users\user\Desktop\shipping_documents.exe {path}
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Users\user\Desktop\shipping_documents.exe {path}
              Source: C:\Users\user\Desktop\shipping_documents.exeProcess created: C:\Users\user\Desktop\shipping_documents.exe {path}
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp243C.tmp
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeProcess created: C:\Users\user\AppData\Roaming\vOqVEnqC.exe {path}
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmpE4E1.tmp
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path}
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeProcess created: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe {path}
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Users\user\Desktop\shipping_documents.exe VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Users\user\AppData\Roaming\vOqVEnqC.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Users\user\Desktop\shipping_documents.exe VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Users\user\AppData\Roaming\vOqVEnqC.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\vOqVEnqC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\Desktop\shipping_documents.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Modifies the hosts file
              Source: C:\Users\user\Desktop\shipping_documents.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 5.2.vOqVEnqC.exe.4446b10.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.vOqVEnqC.exe.4446b10.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.shipping_documents.exe.39e5ac0.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.590317910.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.591331951.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.593114242.000000000315F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: shipping_documents.exe PID: 64, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vOqVEnqC.exe PID: 1248, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: shipping_documents.exe PID: 1544, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: LIhMQ.exe PID: 2280, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vOqVEnqC.exe PID: 1324, type: MEMORYSTR
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\Desktop\shipping_documents.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\Desktop\shipping_documents.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\Desktop\shipping_documents.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Users\user\Desktop\shipping_documents.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Users\user\Desktop\shipping_documents.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Source: Yara matchFile source: 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: shipping_documents.exe PID: 1544, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: LIhMQ.exe PID: 2280, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vOqVEnqC.exe PID: 1324, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 5.2.vOqVEnqC.exe.4446b10.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.vOqVEnqC.exe.4446b10.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.shipping_documents.exe.39e5ac0.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.shipping_documents.exe.39e5ac0.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.590317910.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.591331951.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.593114242.000000000315F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: shipping_documents.exe PID: 64, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vOqVEnqC.exe PID: 1248, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: shipping_documents.exe PID: 1544, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: LIhMQ.exe PID: 2280, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vOqVEnqC.exe PID: 1324, type: MEMORYSTR

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts211
              Windows Management Instrumentation              		1
              Scheduled Task/Job              		111
              Process Injection              		1
              File and Directory Permissions Modification              		2
              OS Credential Dumping              		1
              File and Directory Discovery              		Remote Services1
              Archive Collected Data              		Exfiltration Over Other Network Medium1
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts2
              Command and Scripting Interpreter              		1
              Registry Run Keys / Startup Folder              		1
              Scheduled Task/Job              		1
              Disable or Modify Tools              		111
              Input Capture              		114
              System Information Discovery              		Remote Desktop Protocol2
              Data from Local System              		Exfiltration Over Bluetooth1
              Non-Standard Port              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain Accounts1
              Scheduled Task/Job              		Logon Script (Windows)1
              Registry Run Keys / Startup Folder              		3
              Obfuscated Files or Information              		1
              Credentials in Registry              		311
              Security Software Discovery              		SMB/Windows Admin Shares1
              Email Collection              		Automated Exfiltration1
              Non-Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
              Software Packing              		NTDS1
              Process Discovery              		Distributed Component Object Model111
              Input Capture              		Scheduled Transfer11
              Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Masquerading              		LSA Secrets131
              Virtualization/Sandbox Evasion              		SSH1
              Clipboard Data              		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common131
              Virtualization/Sandbox Evasion              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items111
              Process Injection              		DCSync1
              Remote System Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
              Hidden Files and Directories              		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830622 Sample: shipping_documents.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 57 mail.clipjoint.co.nz 2->57 61 Malicious sample detected (through community Yara rule) 2->61 63 Sigma detected: Scheduled temp file as task from temp location 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 5 other signatures 2->67 8 shipping_documents.exe 6 2->8         started        12 LIhMQ.exe 5 2->12         started        14 vOqVEnqC.exe 5 2->14         started        16 LIhMQ.exe 2->16         started        signatures3 process4 file5 51 C:\Users\user\AppData\Roaming\vOqVEnqC.exe, PE32 8->51 dropped 53 C:\Users\user\AppData\Local\...\tmp3F0C.tmp, XML 8->53 dropped 55 C:\Users\user\...\shipping_documents.exe.log, ASCII 8->55 dropped 83 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->83 85 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->85 87 Uses schtasks.exe or at.exe to add and modify task schedules 8->87 18 shipping_documents.exe 2 5 8->18         started        23 schtasks.exe 1 8->23         started        25 shipping_documents.exe 8->25         started        27 shipping_documents.exe 8->27         started        89 Multi AV Scanner detection for dropped file 12->89 91 Machine Learning detection for dropped file 12->91 93 Injects a PE file into a foreign processes 12->93 29 LIhMQ.exe 12->29         started        31 schtasks.exe 12->31         started        33 LIhMQ.exe 12->33         started        35 vOqVEnqC.exe 14->35         started        37 schtasks.exe 14->37         started        signatures6 process7 dnsIp8 59 mail.clipjoint.co.nz 27.54.86.236, 587 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 18->59 45 C:\Users\user\AppData\Roaming\...\LIhMQ.exe, PE32 18->45 dropped 47 C:\Windows\System32\drivers\etc\hosts, ASCII 18->47 dropped 49 C:\Users\user\...\LIhMQ.exe:Zone.Identifier, ASCII 18->49 dropped 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->69 71 Tries to steal Mail credentials (via file / registry access) 18->71 73 Modifies the hosts file 18->73 39 conhost.exe 23->39         started        75 Tries to harvest and steal ftp login credentials 29->75 77 Tries to harvest and steal browser information (history, passwords, etc) 29->77 79 Installs a global keyboard hook 29->79 41 conhost.exe 31->41         started        81 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->81 43 conhost.exe 37->43         started        file9 signatures10 process11

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              shipping_documents.exe54%ReversingLabsWin32.Trojan.Leonem
              shipping_documents.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\vOqVEnqC.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe54%ReversingLabsWin32.Trojan.Leonem
              C:\Users\user\AppData\Roaming\vOqVEnqC.exe54%ReversingLabsWin32.Trojan.Leonem

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.fontbureau.coma0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              https://api.ipify.org%0%URL Reputationsafe
              http://www.sajatypeworks.comcagE0%Avira URL Cloudsafe
              http://www.fontbureau.comceF0%Avira URL Cloudsafe
              https://api.ipify.org%mail.clipjoint.co.nzclipjoint0%Avira URL Cloudsafe
              http://MFxeXD.com0%Avira URL Cloudsafe
              https://RGpFrRyIJy6rRTyqEb.net0%Avira URL Cloudsafe
              http://mail.clipjoint.co.nz0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              mail.clipjoint.co.nz
              		27.54.86.236
              		truefalse
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1shipping_documents.exe, 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.apache.org/licenses/LICENSE-2.0shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.comshipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGshipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comceFshipping_documents.exe, 00000000.00000002.350966478.0000000001117000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers?shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://mail.clipjoint.co.nzshipping_documents.exe, 00000006.00000002.590317910.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000003102000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.00000000031AA000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwshipping_documents.exe, 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://MFxeXD.comvOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.tiro.comshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersshipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.goodfont.co.krshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comashipping_documents.exe, 00000000.00000002.350966478.0000000001117000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comshipping_documents.exe, 00000000.00000003.304079093.000000000111D000.00000004.00000020.00020000.00000000.sdmp, shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNshipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cTheshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmshipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlshipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sajatypeworks.comcagEshipping_documents.exe, 00000000.00000003.304079093.000000000111D000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmp, shipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://api.ipify.org%mail.clipjoint.co.nzclipjointshipping_documents.exe, 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://DynDns.comDynDNSnamejidpasswordPsi/PsivOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseshipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8shipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fonts.comshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseshipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnshipping_documents.exe, 00000000.00000002.364622865.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameshipping_documents.exe, 00000000.00000002.368254562.00000000075F1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000005.00000002.518134460.0000000003222000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sakkal.comshipping_documents.exe, 00000000.00000002.364622865.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.ipify.org%shipping_documents.exe, 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, LIhMQ.exe, 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, vOqVEnqC.exe, 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		low
                                      https://RGpFrRyIJy6rRTyqEb.netvOqVEnqC.exe, 00000011.00000002.593114242.000000000315F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      27.54.86.236
                                      		mail.clipjoint.co.nzAustralia
                                      		38719DREAMSCAPE-AS-APDreamscapeNetworksLimitedAUfalse

                                      General Information

                                      Joe Sandbox Version:37.0.0 Beryl
                                      Analysis ID:830622
                                      Start date and time:2023-03-20 14:50:16 +01:00
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 12m 14s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:19
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample file name:shipping_documents.exe
                                      Detection:MAL
                                      Classification:mal100.troj.adwa.spyw.evad.winEXE@25/10@3/1
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HDC Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 94%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                                      • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • VT rate limit hit for: shipping_documents.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      14:51:23API Interceptor636x Sleep call for process: shipping_documents.exe modified
                                      14:51:33Task SchedulerRun new task: vOqVEnqC path: C:\Users\user\AppData\Roaming\vOqVEnqC.exe
                                      14:51:38AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run LIhMQ C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                      14:51:48AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run LIhMQ C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                      14:51:59API Interceptor85x Sleep call for process: vOqVEnqC.exe modified
                                      14:52:01API Interceptor268x Sleep call for process: LIhMQ.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LIhMQ.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1216
                                      Entropy (8bit):5.355304211458859
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                      MD5:69206D3AF7D6EFD08F4B4726998856D3
                                      SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                      SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                      SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shipping_documents.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\shipping_documents.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1216
                                      Entropy (8bit):5.355304211458859
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                      MD5:69206D3AF7D6EFD08F4B4726998856D3
                                      SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                      SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                      SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                      Malicious:true
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vOqVEnqC.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\vOqVEnqC.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1216
                                      Entropy (8bit):5.355304211458859
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                      MD5:69206D3AF7D6EFD08F4B4726998856D3
                                      SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                      SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                      SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                      C:\Users\user\AppData\Local\Temp\tmp243C.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\vOqVEnqC.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1645
                                      Entropy (8bit):5.175101949501581
                                      Encrypted:false
                                      SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBgtn:cbhC7ZlNQF/rydbz9I3YODOLNdq34
                                      MD5:05EA33F3DB79C3F55A592AE8F55D0506
                                      SHA1:AB8FA39F7158848903BF0AE858C64F43F5201B1C
                                      SHA-256:1937CC368B67A85D6E2A5CA35515A03024BFD8708B3D259A99198F30EB2497E5
                                      SHA-512:9F1625115EE2AD779A926A2F583F5EBB3673F428F7AB1CBEB24B4B66502E21CF282633FBB685038D3DF42CD9070BB2B22886CC4926E882AFFE08B46AC178E99F
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

                                      C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\shipping_documents.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1645
                                      Entropy (8bit):5.175101949501581
                                      Encrypted:false
                                      SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBgtn:cbhC7ZlNQF/rydbz9I3YODOLNdq34
                                      MD5:05EA33F3DB79C3F55A592AE8F55D0506
                                      SHA1:AB8FA39F7158848903BF0AE858C64F43F5201B1C
                                      SHA-256:1937CC368B67A85D6E2A5CA35515A03024BFD8708B3D259A99198F30EB2497E5
                                      SHA-512:9F1625115EE2AD779A926A2F583F5EBB3673F428F7AB1CBEB24B4B66502E21CF282633FBB685038D3DF42CD9070BB2B22886CC4926E882AFFE08B46AC178E99F
                                      Malicious:true
                                      Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

                                      C:\Users\user\AppData\Local\Temp\tmpE4E1.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1645
                                      Entropy (8bit):5.175101949501581
                                      Encrypted:false
                                      SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBgtn:cbhC7ZlNQF/rydbz9I3YODOLNdq34
                                      MD5:05EA33F3DB79C3F55A592AE8F55D0506
                                      SHA1:AB8FA39F7158848903BF0AE858C64F43F5201B1C
                                      SHA-256:1937CC368B67A85D6E2A5CA35515A03024BFD8708B3D259A99198F30EB2497E5
                                      SHA-512:9F1625115EE2AD779A926A2F583F5EBB3673F428F7AB1CBEB24B4B66502E21CF282633FBB685038D3DF42CD9070BB2B22886CC4926E882AFFE08B46AC178E99F
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

                                      C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\shipping_documents.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):986624
                                      Entropy (8bit):7.440346319495974
                                      Encrypted:false
                                      SSDEEP:24576:Jy0QhPJkBhdsXcq1YLTH3p3k4zwCeWdBBuIJC6gE:Jy0QhEvsXb18mOi6p
                                      MD5:5EC19C18EFF49F78CE02E2CF1831C37D
                                      SHA1:9D7261D0E2558DD6BD26373C4E2421AD83AF6B19
                                      SHA-256:EE9C3569905A2A2B5141982928E9205A99170189DAB43F8626102E1A6DDDBE4E
                                      SHA-512:B7A8A7B81BC259728206CEBC2D7C7530791FAD39F5CC2A4FE0BAD61AE582E3529ED5A2F01A6F48E78724C80132F717E05525DC170C0DA5F2F40153A905CDD688
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 54%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....W.d..............P.............."... ...@....@.. ....................................@.................................P"..K....@.......................`......."............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................."......H............"......m....=..............................................Z(....8.....(....8....*.&~.......*...~....*.b(....8......(....8.....*.....(....*&~.......*...~....*..0..........8A.......E....Z.../...8U...s......... .....9....&8....s.........8....*(....8....s......... .....9....& ....8....s.........8....s.........8.......0..$.......8......*.~....o......8....8....8.....0..$.......8....8....8......*.~....o......8.....0...........~....o......8....8....8......*..0..........

                                      C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe:Zone.Identifier

                                      Download File
                                      Process:C:\Users\user\Desktop\shipping_documents.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:true
                                      Preview:[ZoneTransfer]....ZoneId=0

                                      C:\Users\user\AppData\Roaming\vOqVEnqC.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\shipping_documents.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):986624
                                      Entropy (8bit):7.440346319495974
                                      Encrypted:false
                                      SSDEEP:24576:Jy0QhPJkBhdsXcq1YLTH3p3k4zwCeWdBBuIJC6gE:Jy0QhEvsXb18mOi6p
                                      MD5:5EC19C18EFF49F78CE02E2CF1831C37D
                                      SHA1:9D7261D0E2558DD6BD26373C4E2421AD83AF6B19
                                      SHA-256:EE9C3569905A2A2B5141982928E9205A99170189DAB43F8626102E1A6DDDBE4E
                                      SHA-512:B7A8A7B81BC259728206CEBC2D7C7530791FAD39F5CC2A4FE0BAD61AE582E3529ED5A2F01A6F48E78724C80132F717E05525DC170C0DA5F2F40153A905CDD688
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 54%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....W.d..............P.............."... ...@....@.. ....................................@.................................P"..K....@.......................`......."............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................."......H............"......m....=..............................................Z(....8.....(....8....*.&~.......*...~....*.b(....8......(....8.....*.....(....*&~.......*...~....*..0..........8A.......E....Z.../...8U...s......... .....9....&8....s.........8....*(....8....s......... .....9....& ....8....s.........8....s.........8.......0..$.......8......*.~....o......8....8....8.....0..$.......8....8....8......*.~....o......8.....0...........~....o......8....8....8......*..0..........

                                      C:\Windows\System32\drivers\etc\hosts

                                      Download File
                                      Process:C:\Users\user\Desktop\shipping_documents.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):835
                                      Entropy (8bit):4.694294591169137
                                      Encrypted:false
                                      SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                      MD5:6EB47C1CF858E25486E42440074917F2
                                      SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                      SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                      SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                      Malicious:true
                                      Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.440346319495974
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Windows Screen Saver (13104/52) 0.07%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      File name:shipping_documents.exe
                                      File size:986624
                                      MD5:5ec19c18eff49f78ce02e2cf1831c37d
                                      SHA1:9d7261d0e2558dd6bd26373c4e2421ad83af6b19
                                      SHA256:ee9c3569905a2a2b5141982928e9205a99170189dab43f8626102e1a6dddbe4e
                                      SHA512:b7a8a7b81bc259728206cebc2d7c7530791fad39f5cc2a4fe0bad61ae582e3529ed5a2f01a6f48e78724c80132f717e05525dc170c0da5f2f40153a905cdd688
                                      SSDEEP:24576:Jy0QhPJkBhdsXcq1YLTH3p3k4zwCeWdBBuIJC6gE:Jy0QhEvsXb18mOi6p
                                      TLSH:A025AF7D3EAEB9D1F578F671DBD08222E6E39EC3BA16CD4A15C2034C4602757B88225D
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....W.d..............P.............."... ...@....@.. ....................................@................................

                                      File Icon

                                      Icon Hash:00828e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x4f229e
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x641257E1 [Wed Mar 15 23:42:25 2023 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xf22500x4b.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000x5a8.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xf60000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xf22080x1c.text
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000xf02a40xf0400False0.7817164330775234data7.446877411021773IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0xf40000x5a80x600False0.4251302083333333data4.099101583815506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xf60000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_VERSION0xf40a00x31cdata
                                      RT_MANIFEST0xf43bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Mar 20, 2023 14:52:17.063770056 CET49699587192.168.2.527.54.86.236
                                      Mar 20, 2023 14:52:20.247996092 CET49699587192.168.2.527.54.86.236
                                      Mar 20, 2023 14:52:26.253586054 CET49699587192.168.2.527.54.86.236
                                      Mar 20, 2023 14:53:09.896615028 CET49700587192.168.2.527.54.86.236
                                      Mar 20, 2023 14:53:13.050473928 CET49700587192.168.2.527.54.86.236
                                      Mar 20, 2023 14:53:19.051973104 CET49700587192.168.2.527.54.86.236
                                      Mar 20, 2023 14:53:19.772902966 CET49701587192.168.2.527.54.86.236
                                      Mar 20, 2023 14:53:22.942941904 CET49701587192.168.2.527.54.86.236
                                      Mar 20, 2023 14:53:28.943428993 CET49701587192.168.2.527.54.86.236

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Mar 20, 2023 14:52:16.981396914 CET6084153192.168.2.58.8.8.8
                                      Mar 20, 2023 14:52:17.015774012 CET53608418.8.8.8192.168.2.5
                                      Mar 20, 2023 14:53:09.380139112 CET6189353192.168.2.58.8.8.8
                                      Mar 20, 2023 14:53:09.426786900 CET53618938.8.8.8192.168.2.5
                                      Mar 20, 2023 14:53:19.682809114 CET6064953192.168.2.58.8.8.8
                                      Mar 20, 2023 14:53:19.761465073 CET53606498.8.8.8192.168.2.5

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Mar 20, 2023 14:52:16.981396914 CET192.168.2.58.8.8.80x79b3Standard query (0)mail.clipjoint.co.nzA (IP address)IN (0x0001)false
                                      Mar 20, 2023 14:53:09.380139112 CET192.168.2.58.8.8.80x8d08Standard query (0)mail.clipjoint.co.nzA (IP address)IN (0x0001)false
                                      Mar 20, 2023 14:53:19.682809114 CET192.168.2.58.8.8.80x68a5Standard query (0)mail.clipjoint.co.nzA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Mar 20, 2023 14:52:17.015774012 CET8.8.8.8192.168.2.50x79b3No error (0)mail.clipjoint.co.nz27.54.86.236A (IP address)IN (0x0001)false
                                      Mar 20, 2023 14:53:09.426786900 CET8.8.8.8192.168.2.50x8d08No error (0)mail.clipjoint.co.nz27.54.86.236A (IP address)IN (0x0001)false
                                      Mar 20, 2023 14:53:19.761465073 CET8.8.8.8192.168.2.50x68a5No error (0)mail.clipjoint.co.nz27.54.86.236A (IP address)IN (0x0001)false

                                      Statistics

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:14:51:12
                                      Start date:20/03/2023
                                      Path:C:\Users\user\Desktop\shipping_documents.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\shipping_documents.exe
                                      Imagebase:0x480000
                                      File size:986624 bytes
                                      MD5 hash:5EC19C18EFF49F78CE02E2CF1831C37D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.353260765.00000000038D9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      Reputation:low

                                      General

                                      Target ID:1
                                      Start time:14:51:32
                                      Start date:20/03/2023
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp3F0C.tmp
                                      Imagebase:0x12f0000
                                      File size:185856 bytes
                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Target ID:2
                                      Start time:14:51:32
                                      Start date:20/03/2023
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7fcd70000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Target ID:3
                                      Start time:14:51:32
                                      Start date:20/03/2023
                                      Path:C:\Users\user\Desktop\shipping_documents.exe
                                      Wow64 process (32bit):false
                                      Commandline:{path}
                                      Imagebase:0x2b0000
                                      File size:986624 bytes
                                      MD5 hash:5EC19C18EFF49F78CE02E2CF1831C37D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low

                                      General

                                      Target ID:4
                                      Start time:14:51:33
                                      Start date:20/03/2023
                                      Path:C:\Users\user\Desktop\shipping_documents.exe
                                      Wow64 process (32bit):false
                                      Commandline:{path}
                                      Imagebase:0x320000
                                      File size:986624 bytes
                                      MD5 hash:5EC19C18EFF49F78CE02E2CF1831C37D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low

                                      General

                                      Target ID:5
                                      Start time:14:51:33
                                      Start date:20/03/2023
                                      Path:C:\Users\user\AppData\Roaming\vOqVEnqC.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\vOqVEnqC.exe
                                      Imagebase:0xbf0000
                                      File size:986624 bytes
                                      MD5 hash:5EC19C18EFF49F78CE02E2CF1831C37D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000005.00000002.573256271.0000000004446000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 54%, ReversingLabs
                                      Reputation:low

                                      General

                                      Target ID:6
                                      Start time:14:51:33
                                      Start date:20/03/2023
                                      Path:C:\Users\user\Desktop\shipping_documents.exe
                                      Wow64 process (32bit):true
                                      Commandline:{path}
                                      Imagebase:0x760000
                                      File size:986624 bytes
                                      MD5 hash:5EC19C18EFF49F78CE02E2CF1831C37D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.590317910.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000006.00000002.579676048.0000000000430000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.590317910.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low

                                      General

                                      Target ID:7
                                      Start time:14:51:47
                                      Start date:20/03/2023
                                      Path:C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe"
                                      Imagebase:0xc60000
                                      File size:986624 bytes
                                      MD5 hash:5EC19C18EFF49F78CE02E2CF1831C37D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000007.00000002.466893886.00000000076B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 54%, ReversingLabs
                                      Reputation:low

                                      General

                                      Target ID:8
                                      Start time:14:51:58
                                      Start date:20/03/2023
                                      Path:C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe"
                                      Imagebase:0xb90000
                                      File size:986624 bytes
                                      MD5 hash:5EC19C18EFF49F78CE02E2CF1831C37D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:low

                                      General

                                      Target ID:11
                                      Start time:14:52:15
                                      Start date:20/03/2023
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmpE4E1.tmp
                                      Imagebase:0x12f0000
                                      File size:185856 bytes
                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Target ID:12
                                      Start time:14:52:15
                                      Start date:20/03/2023
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7fcd70000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Target ID:13
                                      Start time:14:52:16
                                      Start date:20/03/2023
                                      Path:C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                      Wow64 process (32bit):false
                                      Commandline:{path}
                                      Imagebase:0x10000
                                      File size:986624 bytes
                                      MD5 hash:5EC19C18EFF49F78CE02E2CF1831C37D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:low

                                      General

                                      Target ID:14
                                      Start time:14:52:16
                                      Start date:20/03/2023
                                      Path:C:\Users\user\AppData\Roaming\LIhMQ\LIhMQ.exe
                                      Wow64 process (32bit):true
                                      Commandline:{path}
                                      Imagebase:0xa20000
                                      File size:986624 bytes
                                      MD5 hash:5EC19C18EFF49F78CE02E2CF1831C37D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.591331951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.591331951.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low

                                      General

                                      Target ID:15
                                      Start time:14:52:33
                                      Start date:20/03/2023
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOqVEnqC" /XML "C:\Users\user\AppData\Local\Temp\tmp243C.tmp
                                      Imagebase:0x12f0000
                                      File size:185856 bytes
                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Target ID:16
                                      Start time:14:52:33
                                      Start date:20/03/2023
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7fcd70000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:17
                                      Start time:14:52:35
                                      Start date:20/03/2023
                                      Path:C:\Users\user\AppData\Roaming\vOqVEnqC.exe
                                      Wow64 process (32bit):true
                                      Commandline:{path}
                                      Imagebase:0x9f0000
                                      File size:986624 bytes
                                      MD5 hash:5EC19C18EFF49F78CE02E2CF1831C37D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.593114242.000000000315F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.593114242.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                      Disassembly

                                      No disassembly