Edit tour

Windows Analysis Report
Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Overview

General Information

Sample name:	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe
Analysis ID:	1585740
MD5:	44ae6d35f0098112e87243779c924551
SHA1:	5227540b8cbff57bc0e435451f4bf69245765253
SHA256:	c2c192862a68990222cacb9279cacf63370b015a429d2c39d94cbe15cf987388
Tags:	exeMassLoggeruser-threatcat_ch
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe (PID: 984 cmdline: "C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe" MD5: 44AE6D35F0098112E87243779C924551)

Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe (PID: 2336 cmdline: "C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe" MD5: 44AE6D35F0098112E87243779C924551)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "hubservices@navecepa.com", "Password": "yiwLgN*rC4", "Server": "smtp.navecepa.com", "To": "COMPUTERNAME", "Port": 841675}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2886767429.0000000000702000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.2886767429.0000000000702000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2886767429.0000000000702000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2886767429.0000000000702000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf061:$a1: get_encryptedPassword 0xf389:$a2: get_encryptedUsername 0xedea:$a3: get_timePasswordChanged 0xef0b:$a4: get_passwordField 0xf077:$a5: set_encryptedPassword 0x109dc:$a7: get_logins 0x1068d:$a8: GetOutlookPasswords 0x1047f:$a9: StartKeylogger 0x1092c:$a10: KeyLoggerEventArgs 0x104dc:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.2888480424.0000000002704000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa4481:$a1: get_encryptedPassword 0xbb2b1:$a1: get_encryptedPassword 0xd1ed1:$a1: get_encryptedPassword 0xa47a9:$a2: get_encryptedUsername 0xbb5d9:$a2: get_encryptedUsername 0xd21f9:$a2: get_encryptedUsername 0xa420a:$a3: get_timePasswordChanged 0xbb03a:$a3: get_timePasswordChanged 0xd1c5a:$a3: get_timePasswordChanged 0xa432b:$a4: get_passwordField 0xbb15b:$a4: get_passwordField 0xd1d7b:$a4: get_passwordField 0xa4497:$a5: set_encryptedPassword 0xbb2c7:$a5: set_encryptedPassword 0xd1ee7:$a5: set_encryptedPassword 0xa5dfc:$a7: get_logins 0xbcc2c:$a7: get_logins 0xd384c:$a7: get_logins 0xa5aad:$a8: GetOutlookPasswords 0xbc8dd:$a8: GetOutlookPasswords 0xd34fd:$a8: GetOutlookPasswords
Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 984	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 984	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 984	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 984	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4cb38:$a1: get_encryptedPassword 0x4cdd3:$a2: get_encryptedUsername 0x4c8e2:$a3: get_timePasswordChanged 0x4c9f6:$a4: get_passwordField 0x4cb4e:$a5: set_encryptedPassword 0x4dff2:$a7: get_logins 0x4dd20:$a8: GetOutlookPasswords 0x4db5a:$a9: StartKeylogger 0x4df57:$a10: KeyLoggerEventArgs 0x4dbb7:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 2336	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 2336	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 2336	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 2336	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x263b:$a1: get_encryptedPassword 0x2954:$a2: get_encryptedUsername 0x23d8:$a3: get_timePasswordChanged 0x24f9:$a4: get_passwordField 0x2651:$a5: set_encryptedPassword 0x3f5d:$a7: get_logins 0x3c0e:$a8: GetOutlookPasswords 0x3a00:$a9: StartKeylogger 0x3ead:$a10: KeyLoggerEventArgs 0x3a5d:$a11: KeyLoggerEventArgsEventHandler
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.700000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.700000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.700000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.700000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf261:$a1: get_encryptedPassword 0xf589:$a2: get_encryptedUsername 0xefea:$a3: get_timePasswordChanged 0xf10b:$a4: get_passwordField 0xf277:$a5: set_encryptedPassword 0x10bdc:$a7: get_logins 0x1088d:$a8: GetOutlookPasswords 0x1067f:$a9: StartKeylogger 0x10b2c:$a10: KeyLoggerEventArgs 0x106dc:$a11: KeyLoggerEventArgsEventHandler
2.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.700000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x142b3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x137b1:$a3: \Google\Chrome\User Data\Default\Login Data 0x13abf:$a4: \Orbitum\User Data\Default\Login Data 0x148b7:$a5: \Kometa\User Data\Default\Login Data
0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd461:$a1: get_encryptedPassword 0xd789:$a2: get_encryptedUsername 0xd1ea:$a3: get_timePasswordChanged 0xd30b:$a4: get_passwordField 0xd477:$a5: set_encryptedPassword 0xeddc:$a7: get_logins 0xea8d:$a8: GetOutlookPasswords 0xe87f:$a9: StartKeylogger 0xed2c:$a10: KeyLoggerEventArgs 0xe8dc:$a11: KeyLoggerEventArgsEventHandler
0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x124b3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x119b1:$a3: \Google\Chrome\User Data\Default\Login Data 0x11cbf:$a4: \Orbitum\User Data\Default\Login Data 0x12ab7:$a5: \Kometa\User Data\Default\Login Data
0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf261:$a1: get_encryptedPassword 0x26091:$a1: get_encryptedPassword 0x3ccb1:$a1: get_encryptedPassword 0xf589:$a2: get_encryptedUsername 0x263b9:$a2: get_encryptedUsername 0x3cfd9:$a2: get_encryptedUsername 0xefea:$a3: get_timePasswordChanged 0x25e1a:$a3: get_timePasswordChanged 0x3ca3a:$a3: get_timePasswordChanged 0xf10b:$a4: get_passwordField 0x25f3b:$a4: get_passwordField 0x3cb5b:$a4: get_passwordField 0xf277:$a5: set_encryptedPassword 0x260a7:$a5: set_encryptedPassword 0x3ccc7:$a5: set_encryptedPassword 0x10bdc:$a7: get_logins 0x27a0c:$a7: get_logins 0x3e62c:$a7: get_logins 0x1088d:$a8: GetOutlookPasswords 0x276bd:$a8: GetOutlookPasswords 0x3e2dd:$a8: GetOutlookPasswords
0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x142b3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2b0e3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x41d03:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x137b1:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a5e1:$a3: \Google\Chrome\User Data\Default\Login Data 0x41201:$a3: \Google\Chrome\User Data\Default\Login Data 0x13abf:$a4: \Orbitum\User Data\Default\Login Data 0x2a8ef:$a4: \Orbitum\User Data\Default\Login Data 0x4150f:$a4: \Orbitum\User Data\Default\Login Data 0x148b7:$a5: \Kometa\User Data\Default\Login Data 0x2b6e7:$a5: \Kometa\User Data\Default\Login Data 0x42307:$a5: \Kometa\User Data\Default\Login Data
0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3bcd1b0.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3bcd1b0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3bcd1b0.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3bcd1b0.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x502d1:$a1: get_encryptedPassword 0x67101:$a1: get_encryptedPassword 0x7dd21:$a1: get_encryptedPassword 0x505f9:$a2: get_encryptedUsername 0x67429:$a2: get_encryptedUsername 0x7e049:$a2: get_encryptedUsername 0x5005a:$a3: get_timePasswordChanged 0x66e8a:$a3: get_timePasswordChanged 0x7daaa:$a3: get_timePasswordChanged 0x5017b:$a4: get_passwordField 0x66fab:$a4: get_passwordField 0x7dbcb:$a4: get_passwordField 0x502e7:$a5: set_encryptedPassword 0x67117:$a5: set_encryptedPassword 0x7dd37:$a5: set_encryptedPassword 0x51c4c:$a7: get_logins 0x68a7c:$a7: get_logins 0x7f69c:$a7: get_logins 0x518fd:$a8: GetOutlookPasswords 0x6872d:$a8: GetOutlookPasswords 0x7f34d:$a8: GetOutlookPasswords
0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3bcd1b0.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x55323:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x6c153:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x82d73:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x54821:$a3: \Google\Chrome\User Data\Default\Login Data 0x6b651:$a3: \Google\Chrome\User Data\Default\Login Data 0x82271:$a3: \Google\Chrome\User Data\Default\Login Data 0x54b2f:$a4: \Orbitum\User Data\Default\Login Data 0x6b95f:$a4: \Orbitum\User Data\Default\Login Data 0x8257f:$a4: \Orbitum\User Data\Default\Login Data 0x55927:$a5: \Kometa\User Data\Default\Login Data 0x6c757:$a5: \Kometa\User Data\Default\Login Data 0x83377:$a5: \Kometa\User Data\Default\Login Data
0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3ba3380.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3ba3380.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3ba3380.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3ba3380.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7a101:$a1: get_encryptedPassword 0x90f31:$a1: get_encryptedPassword 0xa7b51:$a1: get_encryptedPassword 0x7a429:$a2: get_encryptedUsername 0x91259:$a2: get_encryptedUsername 0xa7e79:$a2: get_encryptedUsername 0x79e8a:$a3: get_timePasswordChanged 0x90cba:$a3: get_timePasswordChanged 0xa78da:$a3: get_timePasswordChanged 0x79fab:$a4: get_passwordField 0x90ddb:$a4: get_passwordField 0xa79fb:$a4: get_passwordField 0x7a117:$a5: set_encryptedPassword 0x90f47:$a5: set_encryptedPassword 0xa7b67:$a5: set_encryptedPassword 0x7ba7c:$a7: get_logins 0x928ac:$a7: get_logins 0xa94cc:$a7: get_logins 0x7b72d:$a8: GetOutlookPasswords 0x9255d:$a8: GetOutlookPasswords 0xa917d:$a8: GetOutlookPasswords
0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3ba3380.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x7f153:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x95f83:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xacba3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e651:$a3: \Google\Chrome\User Data\Default\Login Data 0x95481:$a3: \Google\Chrome\User Data\Default\Login Data 0xac0a1:$a3: \Google\Chrome\User Data\Default\Login Data 0x7e95f:$a4: \Orbitum\User Data\Default\Login Data 0x9578f:$a4: \Orbitum\User Data\Default\Login Data 0xac3af:$a4: \Orbitum\User Data\Default\Login Data 0x7f757:$a5: \Kometa\User Data\Default\Login Data 0x96587:$a5: \Kometa\User Data\Default\Login Data 0xad1a7:$a5: \Kometa\User Data\Default\Login Data
Click to see the 20 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T07:01:57.008516+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49732	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Avira: detected

Found malware configuration

Source: 00000002.00000002.2888480424.00000000025E1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "hubservices@navecepa.com", "Password": "yiwLgN*rC4", "Server": "smtp.navecepa.com", "To": "COMPUTERNAME", "Port": 841675}

Multi AV Scanner detection for submitted file

Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.0

Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Stubs Fully\Public\Public Runpe\PR\PR\obj\Debug\Poses.pdb source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1655913182.0000000002B71000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 4x nop then jmp 00D08922h	2_2_00D08508
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 4x nop then jmp 00D081F9h	2_2_00D07F48
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 4x nop then jmp 00D08922h	2_2_00D084F8
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 4x nop then jmp 00D08922h	2_2_00D0884F
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 4x nop then jmp 00D0FAF8h	2_2_00D0F7F8

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49732 -> 132.226.247.73:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000265F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000265F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000265F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.00000000025E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000265F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2886767429.0000000000702000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000265F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000267B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000267B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.00000000025E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2886767429.0000000000702000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000265F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2886767429.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000265F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000265F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000265F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3bcd1b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3bcd1b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3ba3380.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3ba3380.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.2886767429.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 984, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 2336, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 0_2_00E8E084	0_2_00E8E084
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 0_2_08D717D9	0_2_08D717D9
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 2_2_00D0AC08	2_2_00D0AC08
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 2_2_00D02DE0	2_2_00D02DE0
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 2_2_00D0F128	2_2_00D0F128
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 2_2_00D07F48	2_2_00D07F48
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 2_2_00D0E780	2_2_00D0E780
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 2_2_00D027B9	2_2_00D027B9
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 2_2_00D0E77C	2_2_00D0E77C
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 2_2_00D0AC06	2_2_00D0AC06
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 2_2_00D0EF08	2_2_00D0EF08
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 2_2_00D0F7F8	2_2_00D0F7F8
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 2_2_00D07F37	2_2_00D07F37

Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1655913182.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePoses.dll, vs Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1655913182.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000000.1641724730.0000000000802000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNone.exe* vs Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1655913182.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePoses.dll, vs Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVebinace.dll2 vs Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2886767429.000000000071A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2886631566.00000000006F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe
Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Binary or memory string: OriginalFilenameNone.exe* vs Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3bcd1b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3bcd1b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3ba3380.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3ba3380.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.2886767429.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 984, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 2336, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Mutant created: NULL

Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.00000000026DD000.00000004.00000800.00020000.00000000.sdmp, Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.00000000026BF000.00000004.00000800.00020000.00000000.sdmp, Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.00000000026CE000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe "C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe"
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process created: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe "C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe"
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process created: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe "C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Static PE information: 0x827F415A [Thu May 19 00:31:22 2039 UTC]

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 2_2_00D03F7A push ebx; retn 5500h	2_2_00D03F86
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 2_2_00D007FF push ebx; retn 0000h	2_2_00D00802
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 2_2_00D00811 push ebx; retn 0000h	2_2_00D00812
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 2_2_00D0081F push ebx; retn 0000h	2_2_00D00822
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Code function: 2_2_00D00828 push ebp; retn 0000h	2_2_00D00832

Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Static PE information: section name: .text entropy: 7.733649552354785

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.scr

Static PE information: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Memory allocated: E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Memory allocated: 2B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Memory allocated: CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Memory allocated: 25E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Memory allocated: 45E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe TID: 4076

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2887232668.00000000008F7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Code function: 2_2_00D0F128 LdrInitializeThunk,LdrInitializeThunk,

2_2_00D0F128

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Process created: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe "C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 2.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3bcd1b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3ba3380.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2886767429.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 2336, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3bcd1b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3ba3380.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2886767429.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 2336, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 2.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3bcd1b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3ba3380.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2886767429.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2888480424.0000000002704000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 2336, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 2.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3bcd1b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3ba3380.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2886767429.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 2336, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3c0e220.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3bcd1b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.3ba3380.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2886767429.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe PID: 2336, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	11 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	13 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.MassloggerRAT
Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	100%	Avira	HEUR/AGEN.1306813
Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000267B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.tiro.com	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000265F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.carterandcone.coml	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189l	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000265F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000265F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2886767429.0000000000702000.00000040.00000400.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000265F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000267B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000265F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000265F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000265F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000265F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.00000000025E1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1657512161.0000000006D02000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2886767429.0000000000702000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2886767429.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe, 00000002.00000002.2888480424.000000000265F000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585740
Start date and time:	2025-01-08 07:01:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 24 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.56.254.164, 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	GTA5-elamigos.exe	Get hash	malicious	Esquele Stealer	Browse	/api/get/dll
	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	www.uzshou.world/ricr/
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
132.226.247.73	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
checkip.dyndns.com	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.6.168
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	3.elf	Get hash	malicious	Unknown	Browse	1.4.26.56
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=evsqlwgFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#test@kghm.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://plnbl.io/review/VdCYQSoKp54z	Get hash	malicious	HTMLPhisher	Browse	104.22.54.104
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, XWorm, Xmrig	Browse	104.21.36.11
	https://www.google.com/url?q=YG2GERTSbxgfeaGh1Yi5pby8yODY0MDkxOTEyNjI3MjNkMzQzMGNlYjE1ZTRjZjNlZWUwMTM5NGMyMDk3MmRmYTllZTBkMzUzMDBlZDFjOWNjMjdhNWZiYmM0OTU1ODkzMjEyMjI5MjAwOTkviinbsewtyuas53D1e4a0cefd8db4ad28e54c10117f7d498%2526i%253DNjI2YjE3MTBiZWI4YTgxMWUwNDIxNzE3%2526p%253Dm%2526s%253DAVNPUEhUT0NFTkNSWVBUSVYmhcLGCIsQzpMqHgYCBBo2kwEPWKEfFaahaLsnpofO4A%2526t%253DM3dHV0ZCT2t4azAvRVhKQ3B1ZC95RFFTdmpSMCt3cEFxWHJocUMzM0EyZz0%25253D%2526u%253DaHR0cHM6Ly9tLmV4YWN0YWcuY29tL2NsLmFzcHg_ZXh0UHJvdkFwaT1zaXh0L&sa=t&url=amp%2Fdlocumndjkacheckckoqingnmlcsoftlineon-secure-portal.us-iad-10.linodeobjects.com/newdocusign.html#Tdcjoiletuzn43fqnlhtwn8dbfakjhsdbfjhasbdfkjasbdkf%20ashjdbaksdbfkjasbdbfad	Get hash	malicious	Unknown	Browse	104.18.95.41
	https://sUNg.ethamoskag.ru/0cUrcw3/#Msburkholder@heartland-derm.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://juddshaw.acemlnc.com/lt.php?x=3DZy~GDHJXeaEpz5-g1FVxNz1qEjv_Qij~tijXnLI3Ke75_7z0y.yuJz5X6lmNI~jusw	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Sburkholder.pdf	Get hash	malicious	Unknown	Browse	104.17.25.14
	GTA5-elamigos.exe	Get hash	malicious	Esquele Stealer	Browse	188.114.96.3
	GTA5-elamigos.exe	Get hash	malicious	Esquele Stealer	Browse	188.114.97.3
UTMEMUS	miori.ppc.elf	Get hash	malicious	Unknown	Browse	132.224.247.83
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	armv5l.elf	Get hash	malicious	Unknown	Browse	132.244.2.45
	31.13.224.14-x86-2025-01-03T22_14_18.elf	Get hash	malicious	Mirai	Browse	132.226.42.231
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3

Process:	C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.713164928219554
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe
File size:	210'944 bytes
MD5:	44ae6d35f0098112e87243779c924551
SHA1:	5227540b8cbff57bc0e435451f4bf69245765253
SHA256:	c2c192862a68990222cacb9279cacf63370b015a429d2c39d94cbe15cf987388
SHA512:	f4b1a2e12cba34f74008336a29a58472aa7ab8612be1f803a306b939fe37cad3486ae79ba902ab33621180f5144a1851f4b176ef740a8c5801739d1455f6718a
SSDEEP:	3072:gXeIOgeLRN9KkUFBlFdXcowGj8x5B1H7ljUpUxazpJEJ2WTi5s/N2Fbg:guIOgelGrfgGjq5B1H7ljUpUxlJ2u+
TLSH:	3124F7DB07ACC254E8DC4232D552CEA19FB4F196B6BB5BD7196BBA4DDC8839C080C6D0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ZA................0..............7... ...@....@.. ....................................@................................

File Icon


Icon Hash:	64581e034d0d9919

Static PE Info

General

Entrypoint:	0x43371e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x827F415A [Thu May 19 00:31:22 2039 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x336c4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x34000	0x1b6c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x36000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x31724	0x31800	7a3cb9c31e5824317c4ec0fffdbf2b70	False	0.6842250631313131	data	7.733649552354785	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x34000	0x1b6c	0x1c00	75dfd18645095dec02dc4a4df252e918	False	0.8440290178571429	data	7.378634137537574	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x36000	0xc	0x200	6f6bb9996e1bcbc53f04faf30c5d7cb1	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x34130	0x153e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9711290915777859
RT_GROUP_ICON	0x35670	0x14	data	0.9
RT_VERSION	0x35684	0x2fc	data	0.43324607329842935
RT_MANIFEST	0x35980	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T07:01:57.008516+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49732	132.226.247.73	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 07:01:56.006426096 CET	49732	80	192.168.2.4	132.226.247.73
Jan 8, 2025 07:01:56.011317968 CET	80	49732	132.226.247.73	192.168.2.4
Jan 8, 2025 07:01:56.011509895 CET	49732	80	192.168.2.4	132.226.247.73
Jan 8, 2025 07:01:56.011729002 CET	49732	80	192.168.2.4	132.226.247.73
Jan 8, 2025 07:01:56.016462088 CET	80	49732	132.226.247.73	192.168.2.4
Jan 8, 2025 07:01:56.703402996 CET	80	49732	132.226.247.73	192.168.2.4
Jan 8, 2025 07:01:56.752907038 CET	49732	80	192.168.2.4	132.226.247.73
Jan 8, 2025 07:01:56.757697105 CET	80	49732	132.226.247.73	192.168.2.4
Jan 8, 2025 07:01:56.962198019 CET	80	49732	132.226.247.73	192.168.2.4
Jan 8, 2025 07:01:57.008516073 CET	49732	80	192.168.2.4	132.226.247.73
Jan 8, 2025 07:01:57.011583090 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 07:01:57.011627913 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 07:01:57.011852026 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 07:01:57.045154095 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 07:01:57.045169115 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 07:01:57.525266886 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 07:01:57.525343895 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 07:01:57.530813932 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 07:01:57.530823946 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 07:01:57.531110048 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 07:01:57.581604004 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 07:01:57.623336077 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 07:01:57.695321083 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 07:01:57.695379972 CET	443	49733	188.114.97.3	192.168.2.4
Jan 8, 2025 07:01:57.695450068 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 07:01:57.702341080 CET	49733	443	192.168.2.4	188.114.97.3
Jan 8, 2025 07:03:01.961798906 CET	80	49732	132.226.247.73	192.168.2.4
Jan 8, 2025 07:03:01.961872101 CET	49732	80	192.168.2.4	132.226.247.73
Jan 8, 2025 07:03:36.993838072 CET	49732	80	192.168.2.4	132.226.247.73
Jan 8, 2025 07:03:36.998603106 CET	80	49732	132.226.247.73	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 07:01:55.994265079 CET	54068	53	192.168.2.4	1.1.1.1
Jan 8, 2025 07:01:56.001151085 CET	53	54068	1.1.1.1	192.168.2.4
Jan 8, 2025 07:01:56.998085022 CET	59498	53	192.168.2.4	1.1.1.1
Jan 8, 2025 07:01:57.005306005 CET	53	59498	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 07:01:55.994265079 CET	192.168.2.4	1.1.1.1	0xe990	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 8, 2025 07:01:56.998085022 CET	192.168.2.4	1.1.1.1	0x3db5	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 07:01:56.001151085 CET	1.1.1.1	192.168.2.4	0xe990	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 07:01:56.001151085 CET	1.1.1.1	192.168.2.4	0xe990	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 8, 2025 07:01:56.001151085 CET	1.1.1.1	192.168.2.4	0xe990	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 8, 2025 07:01:56.001151085 CET	1.1.1.1	192.168.2.4	0xe990	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 8, 2025 07:01:56.001151085 CET	1.1.1.1	192.168.2.4	0xe990	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 8, 2025 07:01:56.001151085 CET	1.1.1.1	192.168.2.4	0xe990	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 8, 2025 07:01:57.005306005 CET	1.1.1.1	192.168.2.4	0x3db5	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 8, 2025 07:01:57.005306005 CET	1.1.1.1	192.168.2.4	0x3db5	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	132.226.247.73	80	2336	C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 07:01:56.011729002 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 07:01:56.703402996 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 06:01:56 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 8, 2025 07:01:56.752907038 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 8, 2025 07:01:56.962198019 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 06:01:56 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	188.114.97.3	443	2336	C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 06:01:57 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 06:01:57 UTC	855	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 06:01:57 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1630906 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=57sgIlIKN8IyLxNm%2FLkG9A29Aa2fcGBxwacS5qKuz9k9mUfuQSJUkAkPOpVZCJDP4AVz%2B5z7Y1WqK4b6XnJkxElZg5JxPwGop5VMcrz%2Bb3jyRiUR79Ttwk1r8AFQfGaN9W9T04JT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe9f9d73830c32d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1656&min_rtt=1650&rtt_var=631&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1718658&cwnd=252&unsent_bytes=0&cid=a2f16f20ea6d360b&ts=181&x=0"
2025-01-08 06:01:57 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	01:01:53
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe"
Imagebase:	0x800000
File size:	210'944 bytes
MD5 hash:	44AE6D35F0098112E87243779C924551
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1655987843.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:01:54
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe"
Imagebase:	0x2f0000
File size:	210'944 bytes
MD5 hash:	44AE6D35F0098112E87243779C924551
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2886767429.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2886767429.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2886767429.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2886767429.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2888480424.0000000002704000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.4%
Total number of Nodes:	126
Total number of Limit Nodes:	11

Executed Functions

Function 08D717D9 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1658735961.0000000008D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d70000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a2eea68b4d3e611871aacc26663f0afb9fced5afd1cc76ef96e9cc135e481e
Instruction ID: c8ecbb6f933ccdc3d232c9645d4985217f22059d7e0ecb1d9de90e6cc42d0325
Opcode Fuzzy Hash: 08a2eea68b4d3e611871aacc26663f0afb9fced5afd1cc76ef96e9cc135e481e
Instruction Fuzzy Hash: D4D11930A00219CFDF14DFA9C948BADBBF1BF44355F158658E809AF2A5EB70E945CB84

Function 00E8D530 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E8D5BE
GetCurrentThread.KERNEL32 ref: 00E8D5FB
GetCurrentProcess.KERNEL32 ref: 00E8D638
GetCurrentThreadId.KERNEL32 ref: 00E8D691

Strings

4'^q, xrefs: 00E8D509

Memory Dump Source

Source File: 00000000.00000002.1655092736.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID: Current$ProcessThread
String ID: 4'^q
API String ID: 2063062207-1614139903
Opcode ID: 1ead02096a231b116d2667796587c8fb715ae17b271b561aa0bb7a799fcfcf67
Instruction ID: e71214463b2f2f76e995835bbd9159ad9e1d0d750827291e76d437b75a899b86
Opcode Fuzzy Hash: 1ead02096a231b116d2667796587c8fb715ae17b271b561aa0bb7a799fcfcf67
Instruction Fuzzy Hash: 926147B0900349CFCB14DFA9D948BDEBFF1EF89318F248459D409AB2A0DB749985CB65

Function 00E8D540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E8D5BE
GetCurrentThread.KERNEL32 ref: 00E8D5FB
GetCurrentProcess.KERNEL32 ref: 00E8D638
GetCurrentThreadId.KERNEL32 ref: 00E8D691

Memory Dump Source

Source File: 00000000.00000002.1655092736.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 584d114075522e74116f2755e5627ab59aa85eb36923bec91b5888f99bfd7c7e
Instruction ID: 87cec6baac8d7336fb6cf11c696b6105984be54a4b1ff65f1c25415ec7901c93
Opcode Fuzzy Hash: 584d114075522e74116f2755e5627ab59aa85eb36923bec91b5888f99bfd7c7e
Instruction Fuzzy Hash: A15126B0900359CFDB14DFA9D548BDEBBF1AF88314F208469E419B72A0DB749984CF65

Function 00E8B2AD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E8B4FE

Strings

DP, xrefs: 00E8B436
DP, xrefs: 00E8B45B

Memory Dump Source

Source File: 00000000.00000002.1655092736.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID: HandleModule
String ID: DP$DP
API String ID: 4139908857-2441717064
Opcode ID: bd33626e3e79e10bdc4feb9976e93581cfc955828f5e407226fa68b5a910c1eb
Instruction ID: d1b262a881481a11aa1d58b3d1b65f4b44f4b3f002b54b35bb8e59f5acf090d5
Opcode Fuzzy Hash: bd33626e3e79e10bdc4feb9976e93581cfc955828f5e407226fa68b5a910c1eb
Instruction Fuzzy Hash: 9D712470A00B058FD724EF29D14179ABBF1BF88304F109A2ED09AEBB50D775E949CB91

Function 00E8590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E859C9

Memory Dump Source

Source File: 00000000.00000002.1655092736.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 057c04f08037f729706f433a86108a462bb71ec14753cb03e4bb5909d2330497
Instruction ID: 5d40f28ea96e5ff4e5404af15303a5a86b1de2788f3763275bd0a6242e07a809
Opcode Fuzzy Hash: 057c04f08037f729706f433a86108a462bb71ec14753cb03e4bb5909d2330497
Instruction Fuzzy Hash: EF41F4B1C00619CFDB24DFA9C8847DEBBB5BF49304F24819AD408AB255DB75594ACF90

Function 00E8449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E859C9

Memory Dump Source

Source File: 00000000.00000002.1655092736.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bd39efcaa83c0faf2554292d8e8d85fc094a87cd7e73f311e5a06599fb4d18d3
Instruction ID: e584bcef33877b281c4eaace4771af0322190b15404ebfc8bbdf449f96a9cbb1
Opcode Fuzzy Hash: bd39efcaa83c0faf2554292d8e8d85fc094a87cd7e73f311e5a06599fb4d18d3
Instruction Fuzzy Hash: 1141DFB1C00629CFDB24DFA9C884B9EBBB5BF48304F2481AAD418AB255DB756945CF90

Function 08D720A1 Relevance: 1.6, APIs: 1, Instructions: 69
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 08D72132

Memory Dump Source

Source File: 00000000.00000002.1658735961.0000000008D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d70000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 44776f16609b3c6996d07879e3fba7a99ebf5ea7db06785247333ed356b8ca57
Instruction ID: 7a5c57b5917494b2bfb67e98ffab4aafe348deecd1a371851a8492d515a895a9
Opcode Fuzzy Hash: 44776f16609b3c6996d07879e3fba7a99ebf5ea7db06785247333ed356b8ca57
Instruction Fuzzy Hash: F13145B490428A8FCB01DFA9D880A9EFFF0FB49314F148659D455AB362D374A984CFA1

Function 00E8D780 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E8D80F

Memory Dump Source

Source File: 00000000.00000002.1655092736.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d19b97187f4b23d6bdd417737ecd7c61d9aa41cf0a7563979b8a14979827130d
Instruction ID: 545f6d11ed97d8918ca4f61382ab8c3a1fdba72fef865d99e7fcd889ab3c3a4f
Opcode Fuzzy Hash: d19b97187f4b23d6bdd417737ecd7c61d9aa41cf0a7563979b8a14979827130d
Instruction Fuzzy Hash: FB21E3B5900258AFDB10CFAAD984ADEBFF4EB48324F14801AE958A3350D374A944CFA5

Function 00E8D788 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E8D80F

Memory Dump Source

Source File: 00000000.00000002.1655092736.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 013c878b7c6f646bdec8d4636b553e90f3f20498d71dd647caafde929167eada
Instruction ID: a05d505d8a3b06c15ccca77a4836593b29c780b8bc02f16c2bf271885bdad440
Opcode Fuzzy Hash: 013c878b7c6f646bdec8d4636b553e90f3f20498d71dd647caafde929167eada
Instruction Fuzzy Hash: C321C4B5900258DFDB10CF9AD984ADEBFF4FB48320F14841AE958A7350D374A944CFA5

Function 08D72198 Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 08D72211

Memory Dump Source

Source File: 00000000.00000002.1658735961.0000000008D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d70000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 24491aa871c5e19965f54a36f59fdccd8934136ab2699f6499f802a548b1fc52
Instruction ID: 5b802aba6d3fdcd5d64862cf52d44df681945709181e407e35440b5c2e6beb55
Opcode Fuzzy Hash: 24491aa871c5e19965f54a36f59fdccd8934136ab2699f6499f802a548b1fc52
Instruction Fuzzy Hash: 772177B1D042498FDB14CFAAC884BEEFBF4EB88320F14842ED459A7250D774A944CFA5

Function 08D721A0 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 08D72211

Memory Dump Source

Source File: 00000000.00000002.1658735961.0000000008D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d70000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 5d985f5dfcb25b814cf040fa071d4735b219e586473b5b3e1dc8a91fb0d29d3e
Instruction ID: 251acbbf3b3ec3ae69392fed778554adf8ebdeca3ecd6d2b5755d162bd36f08d
Opcode Fuzzy Hash: 5d985f5dfcb25b814cf040fa071d4735b219e586473b5b3e1dc8a91fb0d29d3e
Instruction Fuzzy Hash: F92124B1D002598FDB14CF9AC844BEEFBF5EB88320F14842AD469A7250D778A944CFA5

Function 00E8B498 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E8B4FE

Memory Dump Source

Source File: 00000000.00000002.1655092736.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e9703eb83e4403c39c01f4664f0a69afc20d35abe0c845e19473a1c2c7e4bbeb
Instruction ID: 790fe060d74141516df23f2a3ba7f382c11ae774781ea67ec89b3005b5201ffa
Opcode Fuzzy Hash: e9703eb83e4403c39c01f4664f0a69afc20d35abe0c845e19473a1c2c7e4bbeb
Instruction Fuzzy Hash: AD111DB6C00249CFCB20DF9AC444ADEFBF5AB88324F10842AD828B7210D379A545CFA5

Function 08D71501 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 08D7155D

Memory Dump Source

Source File: 00000000.00000002.1658735961.0000000008D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d70000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 74002f2e05bdb93571661b90627c53f2acf2208181e4c57ce632068ab2e213d7
Instruction ID: e4ba64330464ac9f49f2b2cdae423d7d638d8505f631e89d55fd5f3acf161151
Opcode Fuzzy Hash: 74002f2e05bdb93571661b90627c53f2acf2208181e4c57ce632068ab2e213d7
Instruction Fuzzy Hash: B31112B5C003988FCB20DFAAD589BDEBFF4AB48320F20865AD559A7310D374A544CFA5

Function 08D71508 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 08D7155D

Memory Dump Source

Source File: 00000000.00000002.1658735961.0000000008D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d70000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 9c8f67af8328fa00f5056c79dd72c39e6f249d2f0103acd4862dc0918b23ff3c
Instruction ID: 1f1e47ad6f31b9f89d8fa43e35527994446adf6ed21bd4742dc62ef979637ff3
Opcode Fuzzy Hash: 9c8f67af8328fa00f5056c79dd72c39e6f249d2f0103acd4862dc0918b23ff3c
Instruction Fuzzy Hash: A61112B18002488FCB20DF9AD485BCEBFF4EB48320F20851AD519A7210D374A544CFA5

Function 00E2D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654134480.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e2d000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b6374c5b3e5cd115ad8d8782c676e9c1df5fa4de72f1be825bc38700794707
Instruction ID: 24b2c083d211d7abde600eca00d1e45c3a2050c3cc74c29e84b76a2918090e5e
Opcode Fuzzy Hash: 95b6374c5b3e5cd115ad8d8782c676e9c1df5fa4de72f1be825bc38700794707
Instruction Fuzzy Hash: F021F271608240DFCB14DF14E984F26BBA6FB84318F20C569DA4A5B2A6C73AD847CA61

Function 00E2D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654134480.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e2d000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff682a803a7488462a23ccb078c11669c551e4dde1408fb3783de7c9ee1e240
Instruction ID: 6359a3df6455733672b159d9a28e59271b7bc572e752a752dcb2e9bf15a584b1
Opcode Fuzzy Hash: 6ff682a803a7488462a23ccb078c11669c551e4dde1408fb3783de7c9ee1e240
Instruction Fuzzy Hash: 7021537550D3808FD712CF24D994B15BF72EB46314F28C5DAD9498F6A7C33A980ACB62

Non-executed Functions

Function 00E8E084 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655092736.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d427f474e7b223aa0d32d94337c7bd2bc36f516df5f113aeb495b930917354d
Instruction ID: f4ae42bfa87b58b796894eab0e14c22d1f64a599725eccdac6db0a15fb04bf14
Opcode Fuzzy Hash: 7d427f474e7b223aa0d32d94337c7bd2bc36f516df5f113aeb495b930917354d
Instruction Fuzzy Hash: D1A17E32E002158FCF05EFB5C84459EBBB2FF89304B15557AE809BB265DB31E945CB90

Analysis Process: Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exePID: 2336, Parent PID: 984COMMON

Execution Graph

Execution Coverage:	15.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	35.3%
Total number of Nodes:	34
Total number of Limit Nodes:	3

Executed Functions

Function 00D0F128 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2888006941.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d00000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1e2870180d9107a224884db238f063f80a22595187efc0adacfae36f7c37e0
Instruction ID: 73e259740cb1e34d7d1dfa8bfcc87fbf29e62d2cad3842e24f3d30e37a0ef1b4
Opcode Fuzzy Hash: 4a1e2870180d9107a224884db238f063f80a22595187efc0adacfae36f7c37e0
Instruction Fuzzy Hash: 1EF1E874D01218CFDB24DFA9D884B9DBBB2BF88304F64C1A9E408AB395DB759985CF50

Function 00D07F48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2888006941.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d00000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2da2a17e5a29132faf55e82c1bce21022ae3e4dfd1c4d7ece612f03442d5e22
Instruction ID: 85eae8905cdc8bc572db367de58eb839521c776f2d35630006f87bff38213a15
Opcode Fuzzy Hash: b2da2a17e5a29132faf55e82c1bce21022ae3e4dfd1c4d7ece612f03442d5e22
Instruction Fuzzy Hash: 26C18074E01218CFDB54DFA5D994B9DBBB2FB88300F1084AAD809AB364DB359E85DF50

Function 00D084F8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2888006941.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d00000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa2a2e4736c6aab92ad3b9a28ab88b600210b5c0992c91bd512d865dd892a1d
Instruction ID: 92bf73fdd091a72bf62fe891f83b1d92f34b9e87d8e64c6d72068895fe25fa4e
Opcode Fuzzy Hash: baa2a2e4736c6aab92ad3b9a28ab88b600210b5c0992c91bd512d865dd892a1d
Instruction Fuzzy Hash: 67A10570D00208CFDB14DFA9D584BDDBBB1FF89304F249269E449AB2A1DB749985CF64

Function 00D08508 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2888006941.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d00000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd30d7aa3a964ec2131ebdcaf01fdb81cb32fdce3f97c4bed172d9cf74f95b5
Instruction ID: 85c3ed480b8cb1e3f3f600bbb504b4e8d01f0abf985b5f71dc74b5d9c94a07b2
Opcode Fuzzy Hash: cbd30d7aa3a964ec2131ebdcaf01fdb81cb32fdce3f97c4bed172d9cf74f95b5
Instruction Fuzzy Hash: BCA10570D00208CFDB14DFA9D988BDDBBB1FF88314F249269E448A72A1DB745985CF64

Function 00D0884F Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2888006941.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d00000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcbe2b2facae9bee293f7cb2084a82b23898ec2a1adc53ed1680442f5828a0e4
Instruction ID: a70d39568bd52478d3b461a80346979cbf023d0e7d4db2220fa3f63ce2db8590
Opcode Fuzzy Hash: dcbe2b2facae9bee293f7cb2084a82b23898ec2a1adc53ed1680442f5828a0e4
Instruction Fuzzy Hash: AA910470D00208CFDB14DFA8D988BDDBBB1FF49310F249269E449AB2A1DB749985CF65

Function 00D0F50C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 00D0F64E

Memory Dump Source

Source File: 00000002.00000002.2888006941.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d00000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 53b618b9e57425c55c0ed7255f66251f170ae9afdf9b98bdca48320c0ba8272e
Instruction ID: fc6169bea0f8e1d4c7a72389750804ef1d4f4ee1df5c5ad2e7d6cc2072d1602f
Opcode Fuzzy Hash: 53b618b9e57425c55c0ed7255f66251f170ae9afdf9b98bdca48320c0ba8272e
Instruction Fuzzy Hash: 10113A74E011099FDB14DFA8D884BADBBB5FB88304F64D565E848E7691DB31E841CF60

Function 00C2D005 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2887737622.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c2d000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187f89f8082b4488c0bb74b3a8eb633bb3ba493cdc93b5e2cfc74090ba291822
Instruction ID: d071416d21810bb7b517af2fa3a4157a4039e8c49b30fed7bb3cfa0eeacbd553
Opcode Fuzzy Hash: 187f89f8082b4488c0bb74b3a8eb633bb3ba493cdc93b5e2cfc74090ba291822
Instruction Fuzzy Hash: ED316B7550D3C49FCB13CF24D990711BF71AB56214F29C5EBD9898F6A3C23A980ACB62

Function 00C2D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2887737622.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c2d000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00adf4d40a9a9eba7168cc9a2d69368ee0468c8908b2c856d67ac0e55520045
Instruction ID: 824fad50dc00a4b43050713c60cefcce375acc1de49ee878975fd34428a190b1
Opcode Fuzzy Hash: b00adf4d40a9a9eba7168cc9a2d69368ee0468c8908b2c856d67ac0e55520045
Instruction Fuzzy Hash: 95214671504300DFCB10DF14E9C0B26BBA5FBA4314F30C66DD80A4B6A6C73AD847CA62

Non-executed Functions

Function 00D0F7F8 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2888006941.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d00000_Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854db86260415d32726c60824a712080264b5c612c6d393a311244fd571beb0d
Instruction ID: 9c926f377002be556d36c4d9475851dd0c9af62f07ed676698b4f2be86a3ef7b
Opcode Fuzzy Hash: 854db86260415d32726c60824a712080264b5c612c6d393a311244fd571beb0d
Instruction Fuzzy Hash: 0CD1C474E01218CFDB14DFA5D994B9DBBB2EF89300F2484AAD408AB3A5DB359D85CF50

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe

Function 00E8D530 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148
threadCOMMON

Function 00E8D540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 00E8B2AD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 191
COMMON

Function 00E8590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 00E8449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 08D720A1 Relevance: 1.6, APIs: 1, Instructions: 69
threadCOMMON

Function 00E8D780 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 00E8D788 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 08D72198 Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Function 00D0F128 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Function 00D0F50C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre