Analysis Report Delivery 9073782912,pdf.exe

Overview

General Information

Sample Name: Delivery 9073782912,pdf.exe
Analysis ID: 356845
MD5: 8b22f061055264b77361c6fe7941e25f
SHA1: 8251185b5bc6cb83e99139a7e480541a0363bc43
SHA256: 7fbc2450a78cb9a8b033dd654c2b2378a7e9f3ea7f89bd0db57f907685a2c4cf
Tags: DHLexeSnakeKeylogger
Infos:

Most interesting Screenshot:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
PE file contains section with special chars
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "info@3ptechnik.xyzgF*BS#rb4smtp.3ptechnik.xyz"}}
Multi AV Scanner detection for submitted file
Source: Delivery 9073782912,pdf.exe ReversingLabs: Detection: 27%
Machine Learning detection for sample
Source: Delivery 9073782912,pdf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 8.2.Delivery 9073782912,pdf.exe.400000.0.unpack Avira: Label: TR/Spy.Gen
Source: 0.2.Delivery 9073782912,pdf.exe.e10000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3

Compliance:

barindex
Uses 32bit PE files
Source: Delivery 9073782912,pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.4:49746 version: TLS 1.0
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: Delivery 9073782912,pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_031A1750
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 0_2_0331AB94
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 4x nop then mov ecx, dword ptr [ebp-38h] 0_2_0331CB88
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_0843D9E4
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_0843E5D8
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_0843E5D8
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_0843E13C
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_0843E2AC
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_0843E2AC
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_0843E2B8
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_0843E2B8
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 4x nop then xor edx, edx 0_2_0843E504
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 4x nop then xor edx, edx 0_2_0843E510
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_0843E5CF
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_0843E5CF

Networking:

barindex
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.88.193.70 162.88.193.70
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.4:49746 version: TLS 1.0
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: unknown DNS traffic detected: queries for: checkip.dyndns.org
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org/HB&lTN
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org4Sk
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.orgD8Sk
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: Delivery 9073782912,pdf.exe, 00000000.00000003.651697965.000000000896B000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.comM
Source: Delivery 9073782912,pdf.exe, 00000000.00000003.651697965.000000000896B000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.comh
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmp String found in binary or memory: http://freegeoip.app
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Delivery 9073782912,pdf.exe, 00000000.00000003.654071949.0000000008956000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Delivery 9073782912,pdf.exe, 00000000.00000003.654071949.0000000008956000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comscr
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655756100.000000000898E000.00000004.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655604692.000000000898E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655879593.0000000008958000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655913964.000000000898E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Delivery 9073782912,pdf.exe, 00000000.00000003.660621776.000000000898B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersS
Source: Delivery 9073782912,pdf.exe, 00000000.00000003.656437070.000000000898E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersX
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Delivery 9073782912,pdf.exe, 00000000.00000003.653160870.000000000898D000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cndd
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krN.TTF
Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krs-e
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652165341.0000000008952000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comnm
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/84.17.52.38
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/84.17.52.38x
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app4Sk
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000008.00000002.912571847.0000000002CD2000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746

System Summary:

barindex
PE file contains section with special chars
Source: Delivery 9073782912,pdf.exe Static PE information: section name: **!@q|@
PE file has nameless sections
Source: Delivery 9073782912,pdf.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_031A0500 0_2_031A0500
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_031A4500 0_2_031A4500
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_031A2C28 0_2_031A2C28
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_031A3628 0_2_031A3628
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_031A24D8 0_2_031A24D8
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_031A30C0 0_2_031A30C0
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_031A5408 0_2_031A5408
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_031A1980 0_2_031A1980
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_03312240 0_2_03312240
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_0331AB4C 0_2_0331AB4C
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_03312230 0_2_03312230
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_0331A0B0 0_2_0331A0B0
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_0331A0A0 0_2_0331A0A0
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_033180E4 0_2_033180E4
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_0331C0D8 0_2_0331C0D8
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_08434944 0_2_08434944
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_08434864 0_2_08434864
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_0843EC28 0_2_0843EC28
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_0843EC38 0_2_0843EC38
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_010381B0 8_2_010381B0
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_01030580 8_2_01030580
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_0103B2B0 8_2_0103B2B0
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_01037B89 8_2_01037B89
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_01034630 8_2_01034630
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_01030BE0 8_2_01030BE0
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_010310F8 8_2_010310F8
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_01031612 8_2_01031612
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_010359E0 8_2_010359E0
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061D0EF8 8_2_061D0EF8
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061D37F0 8_2_061D37F0
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061D3FF0 8_2_061D3FF0
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061D47F0 8_2_061D47F0
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061D4FF0 8_2_061D4FF0
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061D1C50 8_2_061D1C50
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061DF4D8 8_2_061DF4D8
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061D0040 8_2_061D0040
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061D08A8 8_2_061D08A8
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061DE960 8_2_061DE960
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061D0E99 8_2_061D0E99
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061D4790 8_2_061D4790
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061D4F90 8_2_061D4F90
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061D3F92 8_2_061D3F92
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061D37E0 8_2_061D37E0
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061DF478 8_2_061DF478
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061D3465 8_2_061D3465
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061D0006 8_2_061D0006
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061D7932 8_2_061D7932
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061F0040 8_2_061F0040
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061F40D8 8_2_061F40D8
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061F0828 8_2_061F0828
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061F48C0 8_2_061F48C0
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061F2970 8_2_061F2970
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061F17F8 8_2_061F17F8
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061F1010 8_2_061F1010
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061F3158 8_2_061F3158
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061F1FE0 8_2_061F1FE0
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061F3940 8_2_061F3940
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061F07C8 8_2_061F07C8
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061F0006 8_2_061F0006
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061F4128 8_2_061F4128
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061F0FB0 8_2_061F0FB0
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061F48B1 8_2_061F48B1
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061F290F 8_2_061F290F
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061F1798 8_2_061F1798
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061F30F8 8_2_061F30F8
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061F1F81 8_2_061F1F81
PE file contains strange resources
Source: Delivery 9073782912,pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Delivery 9073782912,pdf.exe, 00000000.00000000.645678736.0000000000E97000.00000002.00020000.sdmp Binary or memory string: OriginalFilename vs Delivery 9073782912,pdf.exe
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.737404793.00000000033B1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs Delivery 9073782912,pdf.exe
Source: Delivery 9073782912,pdf.exe, 00000000.00000002.737404793.00000000033B1000.00000004.00000001.sdmp Binary or memory string: OriginalFilename45ZFWF8N.exe4 vs Delivery 9073782912,pdf.exe
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.910914612.0000000000B56000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Delivery 9073782912,pdf.exe
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.910706029.0000000000466000.00000040.00000001.sdmp Binary or memory string: OriginalFilename45ZFWF8N.exe4 vs Delivery 9073782912,pdf.exe
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.910852766.00000000007A7000.00000002.00020000.sdmp Binary or memory string: OriginalFilename vs Delivery 9073782912,pdf.exe
Source: Delivery 9073782912,pdf.exe Binary or memory string: OriginalFilename vs Delivery 9073782912,pdf.exe
Uses 32bit PE files
Source: Delivery 9073782912,pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Delivery 9073782912,pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Delivery 9073782912,pdf.exe Static PE information: Section: **!@q|@ ZLIB complexity 1.00040635487
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Delivery 9073782912,pdf.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Delivery 9073782912,pdf.exe ReversingLabs: Detection: 27%
Source: Delivery 9073782912,pdf.exe String found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
Source: Delivery 9073782912,pdf.exe String found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
Source: Delivery 9073782912,pdf.exe String found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
Source: Delivery 9073782912,pdf.exe String found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
Source: unknown Process created: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe 'C:\Users\user\Desktop\Delivery 9073782912,pdf.exe'
Source: unknown Process created: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe {path}
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process created: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Delivery 9073782912,pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Delivery 9073782912,pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Yara detected Beds Obfuscator
Source: Yara match File source: 00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880, type: MEMORY
Source: Yara match File source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6980, type: MEMORY
Source: Yara match File source: 8.2.Delivery 9073782912,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Delivery 9073782912,pdf.exe.4f22e08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.raw.unpack, type: UNPACKEDPE
PE file contains sections with non-standard names
Source: Delivery 9073782912,pdf.exe Static PE information: section name: **!@q|@
Source: Delivery 9073782912,pdf.exe Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_03317C98 push esp; ret 0_2_03317C99
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_084325E0 pushad ; ret 0_2_084325E1
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061DBC05 push 8B000003h; iretd 8_2_061DBC0C
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061DB507 push es; iretd 8_2_061DB604
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061DB0D0 pushfd ; iretd 8_2_061DB0D1
Source: initial sample Static PE information: section name: **!@q|@ entropy: 7.99766880008
Source: initial sample Static PE information: section name: .text entropy: 7.94676615922
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected Beds Obfuscator
Source: Yara match File source: 00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880, type: MEMORY
Source: Yara match File source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6980, type: MEMORY
Source: Yara match File source: 8.2.Delivery 9073782912,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Delivery 9073782912,pdf.exe.4f22e08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.raw.unpack, type: UNPACKEDPE
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061D3465 rdtsc 8_2_061D3465
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe TID: 7028 Thread sleep time: -55000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe TID: 7016 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe TID: 7028 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 0_2_031A1750 CheckRemoteDebuggerPresent, 0_2_031A1750
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061D3465 rdtsc 8_2_061D3465
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Code function: 8_2_061D1C50 LdrInitializeThunk,KiUserExceptionDispatcher, 8_2_061D1C50
Enables debug privileges
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Memory written: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Process created: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe {path} Jump to behavior
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.911703112.00000000014E0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.911703112.00000000014E0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.911703112.00000000014E0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Delivery 9073782912,pdf.exe, 00000008.00000002.911703112.00000000014E0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880, type: MEMORY
Source: Yara match File source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6980, type: MEMORY
Source: Yara match File source: 8.2.Delivery 9073782912,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Delivery 9073782912,pdf.exe.4f22e08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880, type: MEMORY
Source: Yara match File source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6980, type: MEMORY
Source: Yara match File source: 8.2.Delivery 9073782912,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Delivery 9073782912,pdf.exe.4f22e08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356845 Sample: Delivery 9073782912,pdf.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 22 Found malware configuration 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected Snake Keylogger 2->26 28 6 other signatures 2->28 6 Delivery 9073782912,pdf.exe 3 2->6         started        process3 file4 14 C:\Users\...\Delivery 9073782912,pdf.exe.log, ASCII 6->14 dropped 30 Injects a PE file into a foreign processes 6->30 10 Delivery 9073782912,pdf.exe 15 2 6->10         started        signatures5 process6 dnsIp7 16 checkip.dyndns.org 10->16 18 checkip.dyndns.com 162.88.193.70, 49742, 49745, 80 DYNDNSUS United States 10->18 20 freegeoip.app 104.21.19.200, 443, 49746 CLOUDFLARENETUS United States 10->20 32 Tries to steal Mail credentials (via file access) 10->32 34 Tries to harvest and steal browser information (history, passwords, etc) 10->34 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.88.193.70
 unknown United States
33517 DYNDNSUS false
104.21.19.200
 unknown United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
freegeoip.app 104.21.19.200 true
checkip.dyndns.com 162.88.193.70 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • Avira URL Cloud: safe
 unknown