Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Delivery 9073782912,pdf.exe

Overview

General Information

Sample Name:Delivery 9073782912,pdf.exe
Analysis ID:356845
MD5:8b22f061055264b77361c6fe7941e25f
SHA1:8251185b5bc6cb83e99139a7e480541a0363bc43
SHA256:7fbc2450a78cb9a8b033dd654c2b2378a7e9f3ea7f89bd0db57f907685a2c4cf
Tags:DHLexeSnakeKeylogger
Infos:

Most interesting Screenshot:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
PE file contains section with special chars
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "info@3ptechnik.xyzgF*BS#rb4smtp.3ptechnik.xyz"}}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
    00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
        00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880JoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.Delivery 9073782912,pdf.exe.400000.0.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
              8.2.Delivery 9073782912,pdf.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                  0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                    0.2.Delivery 9073782912,pdf.exe.4f22e08.3.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "info@3ptechnik.xyzgF*BS#rb4smtp.3ptechnik.xyz"}}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Delivery 9073782912,pdf.exeReversingLabs: Detection: 27%
                      Machine Learning detection for sampleShow sources
                      Source: Delivery 9073782912,pdf.exeJoe Sandbox ML: detected
                      Source: 8.2.Delivery 9073782912,pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
                      Source: 0.2.Delivery 9073782912,pdf.exe.e10000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: Delivery 9073782912,pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Uses insecure TLS / SSL version for HTTPS connectionShow sources
                      Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.4:49746 version: TLS 1.0
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: Delivery 9073782912,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_031A1750
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_0331AB94
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_0331CB88
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_0843D9E4
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_0843E5D8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_0843E5D8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_0843E13C
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_0843E2AC
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_0843E2AC
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_0843E2B8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_0843E2B8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then xor edx, edx0_2_0843E504
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then xor edx, edx0_2_0843E510
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_0843E5CF
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_0843E5CF

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: Joe Sandbox ViewIP Address: 162.88.193.70 162.88.193.70
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.4:49746 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.com
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/HB&lTN
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org4Sk
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.orgD8Sk
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.651697965.000000000896B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comM
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.651697965.000000000896B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comh
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://freegeoip.app
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.654071949.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.654071949.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comscr
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655756100.000000000898E000.00000004.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655604692.000000000898E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655879593.0000000008958000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655913964.000000000898E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.660621776.000000000898B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersS
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.656437070.000000000898E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersX
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.653160870.000000000898D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cndd
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krN.TTF
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krs-e
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652165341.0000000008952000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comnm
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/84.17.52.38
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/84.17.52.38x
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app4Sk
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000008.00000002.912571847.0000000002CD2000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746

                      System Summary:

                      barindex
                      PE file contains section with special charsShow sources
                      Source: Delivery 9073782912,pdf.exeStatic PE information: section name: **!@q|@
                      PE file has nameless sectionsShow sources
                      Source: Delivery 9073782912,pdf.exeStatic PE information: section name:
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A05000_2_031A0500
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A45000_2_031A4500
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A2C280_2_031A2C28
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A36280_2_031A3628
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A24D80_2_031A24D8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A30C00_2_031A30C0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A54080_2_031A5408
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A19800_2_031A1980
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_033122400_2_03312240
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0331AB4C0_2_0331AB4C
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_033122300_2_03312230
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0331A0B00_2_0331A0B0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0331A0A00_2_0331A0A0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_033180E40_2_033180E4
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0331C0D80_2_0331C0D8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_084349440_2_08434944
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_084348640_2_08434864
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0843EC280_2_0843EC28
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0843EC380_2_0843EC38
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_010381B08_2_010381B0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_010305808_2_01030580
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_0103B2B08_2_0103B2B0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_01037B898_2_01037B89
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_010346308_2_01034630
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_01030BE08_2_01030BE0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_010310F88_2_010310F8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_010316128_2_01031612
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_010359E08_2_010359E0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D0EF88_2_061D0EF8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D37F08_2_061D37F0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D3FF08_2_061D3FF0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D47F08_2_061D47F0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D4FF08_2_061D4FF0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D1C508_2_061D1C50
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DF4D88_2_061DF4D8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D00408_2_061D0040
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D08A88_2_061D08A8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DE9608_2_061DE960
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D0E998_2_061D0E99
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D47908_2_061D4790
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D4F908_2_061D4F90
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D3F928_2_061D3F92
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D37E08_2_061D37E0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DF4788_2_061DF478
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D34658_2_061D3465
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D00068_2_061D0006
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D79328_2_061D7932
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F00408_2_061F0040
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F40D88_2_061F40D8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F08288_2_061F0828
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F48C08_2_061F48C0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F29708_2_061F2970
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F17F88_2_061F17F8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F10108_2_061F1010
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F31588_2_061F3158
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F1FE08_2_061F1FE0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F39408_2_061F3940
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F07C88_2_061F07C8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F00068_2_061F0006
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F41288_2_061F4128
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F0FB08_2_061F0FB0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F48B18_2_061F48B1
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F290F8_2_061F290F
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F17988_2_061F1798
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F30F88_2_061F30F8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F1F818_2_061F1F81
                      Source: Delivery 9073782912,pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000000.645678736.0000000000E97000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.737404793.00000000033B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.737404793.00000000033B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename45ZFWF8N.exe4 vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.910914612.0000000000B56000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.910706029.0000000000466000.00000040.00000001.sdmpBinary or memory string: OriginalFilename45ZFWF8N.exe4 vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.910852766.00000000007A7000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exeBinary or memory string: OriginalFilename vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Delivery 9073782912,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Delivery 9073782912,pdf.exeStatic PE information: Section: **!@q|@ ZLIB complexity 1.00040635487
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Delivery 9073782912,pdf.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Delivery 9073782912,pdf.exeReversingLabs: Detection: 27%
                      Source: Delivery 9073782912,pdf.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
                      Source: Delivery 9073782912,pdf.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
                      Source: Delivery 9073782912,pdf.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
                      Source: Delivery 9073782912,pdf.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
                      Source: unknownProcess created: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe 'C:\Users\user\Desktop\Delivery 9073782912,pdf.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe {path}
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess created: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Delivery 9073782912,pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Delivery 9073782912,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6980, type: MEMORY
                      Source: Yara matchFile source: 8.2.Delivery 9073782912,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.4f22e08.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.raw.unpack, type: UNPACKEDPE
                      Source: Delivery 9073782912,pdf.exeStatic PE information: section name: **!@q|@
                      Source: Delivery 9073782912,pdf.exeStatic PE information: section name:
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_03317C98 push esp; ret 0_2_03317C99
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_084325E0 pushad ; ret 0_2_084325E1
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DBC05 push 8B000003h; iretd 8_2_061DBC0C
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DB507 push es; iretd 8_2_061DB604
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DB0D0 pushfd ; iretd 8_2_061DB0D1
                      Source: initial sampleStatic PE information: section name: **!@q|@ entropy: 7.99766880008
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.94676615922
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6980, type: MEMORY
                      Source: Yara matchFile source: 8.2.Delivery 9073782912,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.4f22e08.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D3465 rdtsc 8_2_061D3465
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe TID: 7028Thread sleep time: -55000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe TID: 7016Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe TID: 7028Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging:

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A1750 CheckRemoteDebuggerPresent,0_2_031A1750
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D3465 rdtsc 8_2_061D3465
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D1C50 LdrInitializeThunk,KiUserExceptionDispatcher,8_2_061D1C50
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeMemory written: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess created: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe {path}Jump to behavior
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.911703112.00000000014E0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.911703112.00000000014E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.911703112.00000000014E0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.911703112.00000000014E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Snake KeyloggerShow sources
                      Source: Yara matchFile source: 00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6980, type: MEMORY
                      Source: Yara matchFile source: 8.2.Delivery 9073782912,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.4f22e08.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected Snake KeyloggerShow sources
                      Source: Yara matchFile source: 00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6980, type: MEMORY
                      Source: Yara matchFile source: 8.2.Delivery 9073782912,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.4f22e08.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection112Masquerading1OS Credential Dumping1Security Software Discovery12Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing4Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Delivery 9073782912,pdf.exe28%ReversingLabsWin32.Trojan.AgentTesla
                      Delivery 9073782912,pdf.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      8.2.Delivery 9073782912,pdf.exe.400000.0.unpack100%AviraTR/Spy.GenDownload File
                      0.2.Delivery 9073782912,pdf.exe.e10000.0.unpack100%AviraTR/Crypt.XPACK.Gen3Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      freegeoip.app0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://freegeoip.app0%URL Reputationsafe
                      https://freegeoip.app0%URL Reputationsafe
                      https://freegeoip.app0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.tiro.comnm0%Avira URL Cloudsafe
                      http://fontfabrik.comM0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.sandoll.co.krs-e0%Avira URL Cloudsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://checkip.dyndns.org/0%Avira URL Cloudsafe
                      http://www.carterandcone.comscr0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://checkip.dyndns.com0%Avira URL Cloudsafe
                      http://fontfabrik.comh0%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://freegeoip.app0%URL Reputationsafe
                      http://freegeoip.app0%URL Reputationsafe
                      http://freegeoip.app0%URL Reputationsafe
                      https://freegeoip.app/xml/0%URL Reputationsafe
                      https://freegeoip.app/xml/0%URL Reputationsafe
                      https://freegeoip.app/xml/0%URL Reputationsafe
                      http://checkip.dyndns.orgD8Sk0%Avira URL Cloudsafe
                      https://freegeoip.app4Sk0%Avira URL Cloudsafe
                      http://checkip.dyndns.org0%Avira URL Cloudsafe
                      http://www.sandoll.co.krN.TTF0%Avira URL Cloudsafe
                      https://freegeoip.app/xml/84.17.52.38x0%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.38x0%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.38x0%URL Reputationsafe
                      https://freegeoip.app/xml/LoadCountryNameClipboard0%URL Reputationsafe
                      https://freegeoip.app/xml/LoadCountryNameClipboard0%URL Reputationsafe
                      https://freegeoip.app/xml/LoadCountryNameClipboard0%URL Reputationsafe
                      http://www.founder.com.cn/cndd0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://checkip.dyndns.org/HB&lTN0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.380%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.380%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.380%URL Reputationsafe
                      http://checkip.dyndns.org4Sk0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      freegeoip.app
                      		104.21.19.200
                      		truefalseunknown
                      checkip.dyndns.com
                      		162.88.193.70
                      		truefalse
                        		unknown
                        checkip.dyndns.org
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://checkip.dyndns.org/false
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.fontbureau.com/designersGDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                		high
                                https://freegeoip.appDelivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersXDelivery 9073782912,pdf.exe, 00000000.00000003.656437070.000000000898E000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.tiro.comDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655756100.000000000898E000.00000004.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655604692.000000000898E000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.goodfont.co.krDelivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comDelivery 9073782912,pdf.exe, 00000000.00000003.654071949.0000000008956000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.tiro.comnmDelivery 9073782912,pdf.exe, 00000000.00000003.652165341.0000000008952000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://fontfabrik.comMDelivery 9073782912,pdf.exe, 00000000.00000003.651697965.000000000896B000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designersSDelivery 9073782912,pdf.exe, 00000000.00000003.660621776.000000000898B000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sajatypeworks.comDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.typography.netDDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cn/cTheDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sandoll.co.krs-eDelivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://fontfabrik.comDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comscrDelivery 9073782912,pdf.exe, 00000000.00000003.654071949.0000000008956000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleaseDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fonts.comDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krDelivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://checkip.dyndns.comDelivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://fontfabrik.comhDelivery 9073782912,pdf.exe, 00000000.00000003.651697965.000000000896B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDelivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sakkal.comDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://freegeoip.appDelivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://freegeoip.app/xml/Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.apache.org/licenses/LICENSE-2.0Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.comDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                                		high
                                                http://checkip.dyndns.orgD8SkDelivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://freegeoip.app4SkDelivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://checkip.dyndns.orgDelivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.sandoll.co.krN.TTFDelivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://freegeoip.app/xml/84.17.52.38xDelivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://freegeoip.app/xml/LoadCountryNameClipboardDelivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.founder.com.cn/cnddDelivery 9073782912,pdf.exe, 00000000.00000003.653160870.000000000898D000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.carterandcone.comlDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/cabarga.htmlNDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cnDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/frere-user.htmlDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655879593.0000000008958000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://checkip.dyndns.org/HB&lTNDelivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers8Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655913964.000000000898E000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://freegeoip.app/xml/84.17.52.38Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://checkip.dyndns.org4SkDelivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      162.88.193.70
                                                      		unknownUnited States
                                                      		33517DYNDNSUSfalse
                                                      104.21.19.200
                                                      		unknownUnited States
                                                      		13335CLOUDFLARENETUSfalse

                                                      General Information

                                                      Joe Sandbox Version:31.0.0 Emerald
                                                      Analysis ID:356845
                                                      Start date:23.02.2021
                                                      Start time:17:45:36
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 8m 17s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Sample file name:Delivery 9073782912,pdf.exe
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:16
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@3/1@3/2
                                                      EGA Information:Failed
                                                      HDC Information:
                                                      • Successful, ratio: 0.8% (good quality ratio 0.2%)
                                                      • Quality average: 18.8%
                                                      • Quality standard deviation: 31.6%
                                                      HCA Information:
                                                      • Successful, ratio: 95%
                                                      • Number of executed functions: 49
                                                      • Number of non-executed functions: 15
                                                      Cookbook Comments:
                                                      • Adjust boot time
                                                      • Enable AMSI
                                                      • Found application associated with file extension: .exe
                                                      Warnings:
                                                      Show All
                                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                      • Excluded IPs from analysis (whitelisted): 13.64.90.137, 204.79.197.200, 13.107.21.200, 104.42.151.234, 23.211.6.115, 13.88.21.125, 104.43.139.144, 51.104.139.180, 2.20.142.209, 2.20.142.210, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 51.11.168.160
                                                      • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      17:46:33API Interceptor1x Sleep call for process: Delivery 9073782912,pdf.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      162.88.193.70P00760000.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      Order.docGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      purchase order 1.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      telex transfer.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      GPP.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      #11032019 de investigaci#U00f3n de #U00f3rdenes,pdf.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      Neue Bestellung_WJO-001, pdf.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      swift payment.docGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      Order.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      Order.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      telex transfer.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      ORDEN DE COMPRA.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      banka bilgisi.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      XXXXXXXXXXXXXX.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      170221.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      freegeoip.appPO202100046.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      SSGLPOJ6212202.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      ST_PLC URGENT ORDER 0223308737,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      P00760000.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      Order.docGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      QUOTE.docGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      9073782912,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      IMG_57109_Scanned.docGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      Purchase Order.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      dot crypted.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      v2.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      checkip.dyndns.comPO202100046.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      SSGLPOJ6212202.exeGet hashmaliciousBrowse
                                                      • 216.146.43.70
                                                      ST_PLC URGENT ORDER 0223308737,pdf.exeGet hashmaliciousBrowse
                                                      • 216.146.43.70
                                                      P00760000.exeGet hashmaliciousBrowse
                                                      • 162.88.193.70
                                                      Order.docGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      QUOTE.docGet hashmaliciousBrowse
                                                      • 216.146.43.70
                                                      Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                      • 162.88.193.70
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      9073782912,pdf.exeGet hashmaliciousBrowse
                                                      • 216.146.43.70
                                                      IMG_57109_Scanned.docGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      Purchase Order.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      dot crypted.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      v2.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                      • 216.146.43.71
                                                      Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                      • 162.88.193.70
                                                      FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                      • 162.88.193.70
                                                      PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                                                      • 131.186.161.70
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70

                                                      ASN

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      CLOUDFLARENETUSSecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeGet hashmaliciousBrowse
                                                      • 172.67.199.58
                                                      PO202100046.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeGet hashmaliciousBrowse
                                                      • 172.67.213.210
                                                      SSGLPOJ6212202.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      ST_PLC URGENT ORDER 0223308737,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeGet hashmaliciousBrowse
                                                      • 172.67.199.58
                                                      SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeGet hashmaliciousBrowse
                                                      • 104.23.98.190
                                                      1vuet1S3tI.exeGet hashmaliciousBrowse
                                                      • 172.67.199.58
                                                      P00760000.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      Order.docGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      QUOTE.docGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      2070121_SN-WS.exeGet hashmaliciousBrowse
                                                      • 104.21.71.230
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      9073782912,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      payment_advice.docGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      IMG_57109_Scanned.docGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      Purchase Order.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      dot crypted.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      New Order 2300030317388 InterMetro.exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      DYNDNSUSPO202100046.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      SSGLPOJ6212202.exeGet hashmaliciousBrowse
                                                      • 216.146.43.71
                                                      ST_PLC URGENT ORDER 0223308737,pdf.exeGet hashmaliciousBrowse
                                                      • 216.146.43.70
                                                      P00760000.exeGet hashmaliciousBrowse
                                                      • 162.88.193.70
                                                      Order.docGet hashmaliciousBrowse
                                                      • 162.88.193.70
                                                      QUOTE.docGet hashmaliciousBrowse
                                                      • 216.146.43.70
                                                      Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                      • 162.88.193.70
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      9073782912,pdf.exeGet hashmaliciousBrowse
                                                      • 216.146.43.70
                                                      IMG_57109_Scanned.docGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      Purchase Order.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      dot crypted.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      v2.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                      • 216.146.43.71
                                                      Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                      • 162.88.193.70
                                                      FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                      • 162.88.193.70
                                                      PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                                                      • 131.186.161.70
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      54328bd36c14bd82ddaa0c04b25ed9adPO202100046.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      SSGLPOJ6212202.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      ST_PLC URGENT ORDER 0223308737,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      P00760000.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      9073782912,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      Purchase Order.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      dot crypted.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      v2.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      9073782912,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      SOS URGENT RFQ #2345.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Delivery 9073782912,pdf.exe.log
                                                      Process:C:\Users\user\Desktop\Delivery 9073782912,pdf.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1216
                                                      Entropy (8bit):5.355304211458859
                                                      Encrypted:false
                                                      SSDEEP:24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzr
                                                      MD5:B666A4404B132B2BF6C04FBF848EB948
                                                      SHA1:D2EFB3D43F8B8806544D3A47F7DAEE8534981739
                                                      SHA-256:7870616D981C8C0DE9A54E7383CD035470DB20CBF75ACDF729C32889D4B6ED96
                                                      SHA-512:00E955EE9F14CEAE07E571A8EF2E103200CF421BAE83A66ED9F9E1AA6A9F449B653EDF1BFDB662A364D58ECF9B5FE4BB69D590DB2653F2F46A09F4D47719A862
                                                      Malicious:true
                                                      Reputation:moderate, very likely benign file
                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.542462273711499
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                      • Win32 Executable (generic) a (10002005/4) 49.96%
                                                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      File name:Delivery 9073782912,pdf.exe
                                                      File size:635392
                                                      MD5:8b22f061055264b77361c6fe7941e25f
                                                      SHA1:8251185b5bc6cb83e99139a7e480541a0363bc43
                                                      SHA256:7fbc2450a78cb9a8b033dd654c2b2378a7e9f3ea7f89bd0db57f907685a2c4cf
                                                      SHA512:ed21a8a43265cdd8d0bcb72cb02b54e13542e26f81261996c837ca092a18ed89b5394cc674e099008d06f25357c6ac61519c135216b95b4ef24971d26220bc33
                                                      SSDEEP:12288:pReF1EYoHSRA26BqSSF2EuYiNnZUkRobfzl6sI/jklzAKp:pUo3ZCbw/jklDp
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;.5`..............0..j...D....... ...`... ....@.. .......................@............@................................

                                                      File Icon

                                                      Icon Hash:8604a4acbcace4f8

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x4a200a
                                                      Entrypoint Section:
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                      Time Stamp:0x6035023B [Tue Feb 23 13:25:15 2021 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:v4.0.30319
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [004A2000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x169480x53.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e0000x31708.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xa00000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0xa20000x8
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x160000x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      **!@q|@0x20000x129680x12a00False1.00040635487data7.99766880008IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                      .text0x160000x566380x56800False0.934793284863data7.94676615922IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x6e0000x317080x31800False0.430836687184data5.93363370804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0xa00000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                      0xa20000x100x200False0.044921875data0.142635768149IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_ICON0x6e2b00x96b5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                      RT_ICON0x779680x10828dBase III DBT, version number 0, next free block index 40
                                                      RT_ICON0x881900x94a8data
                                                      RT_ICON0x916380x5488data
                                                      RT_ICON0x96ac00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                                      RT_ICON0x9ace80x25a8data
                                                      RT_ICON0x9d2900x10a8data
                                                      RT_ICON0x9e3380x988data
                                                      RT_ICON0x9ecc00x468GLS_BINARY_LSB_FIRST
                                                      RT_GROUP_ICON0x9f1280x84data
                                                      RT_VERSION0x9f1ac0x36cdata
                                                      RT_MANIFEST0x9f5180x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Version Infos

                                                      DescriptionData
                                                      Translation0x0000 0x04b0
                                                      LegalCopyrightCopyright Neudesic 2017
                                                      Assembly Version1.0.0.0
                                                      InternalNameihwC.exe
                                                      FileVersion1.0.0.0
                                                      CompanyNameNeudesic
                                                      LegalTrademarks
                                                      Comments
                                                      ProductNameVectorBasedDrawing
                                                      ProductVersion1.0.0.0
                                                      FileDescriptionVectorBasedDrawing
                                                      OriginalFilenameihwC.exe

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Feb 23, 2021 17:47:10.385010958 CET4974280192.168.2.4162.88.193.70
                                                      Feb 23, 2021 17:47:10.514962912 CET8049742162.88.193.70192.168.2.4
                                                      Feb 23, 2021 17:47:10.515105963 CET4974280192.168.2.4162.88.193.70
                                                      Feb 23, 2021 17:47:10.515765905 CET4974280192.168.2.4162.88.193.70
                                                      Feb 23, 2021 17:47:10.647022009 CET8049742162.88.193.70192.168.2.4
                                                      Feb 23, 2021 17:47:10.647624016 CET8049742162.88.193.70192.168.2.4
                                                      Feb 23, 2021 17:47:10.647641897 CET8049742162.88.193.70192.168.2.4
                                                      Feb 23, 2021 17:47:10.648061991 CET4974280192.168.2.4162.88.193.70
                                                      Feb 23, 2021 17:47:10.650599003 CET4974280192.168.2.4162.88.193.70
                                                      Feb 23, 2021 17:47:10.780585051 CET8049742162.88.193.70192.168.2.4
                                                      Feb 23, 2021 17:47:11.165839911 CET4974580192.168.2.4162.88.193.70
                                                      Feb 23, 2021 17:47:11.301563025 CET8049745162.88.193.70192.168.2.4
                                                      Feb 23, 2021 17:47:11.301687002 CET4974580192.168.2.4162.88.193.70
                                                      Feb 23, 2021 17:47:11.302320004 CET4974580192.168.2.4162.88.193.70
                                                      Feb 23, 2021 17:47:11.436569929 CET8049745162.88.193.70192.168.2.4
                                                      Feb 23, 2021 17:47:11.437163115 CET8049745162.88.193.70192.168.2.4
                                                      Feb 23, 2021 17:47:11.437191963 CET8049745162.88.193.70192.168.2.4
                                                      Feb 23, 2021 17:47:11.437302113 CET4974580192.168.2.4162.88.193.70
                                                      Feb 23, 2021 17:47:11.437710047 CET4974580192.168.2.4162.88.193.70
                                                      Feb 23, 2021 17:47:11.570492029 CET8049745162.88.193.70192.168.2.4
                                                      Feb 23, 2021 17:47:15.477514982 CET49746443192.168.2.4104.21.19.200
                                                      Feb 23, 2021 17:47:15.518438101 CET44349746104.21.19.200192.168.2.4
                                                      Feb 23, 2021 17:47:15.518560886 CET49746443192.168.2.4104.21.19.200
                                                      Feb 23, 2021 17:47:15.663821936 CET49746443192.168.2.4104.21.19.200
                                                      Feb 23, 2021 17:47:15.704763889 CET44349746104.21.19.200192.168.2.4
                                                      Feb 23, 2021 17:47:15.707940102 CET44349746104.21.19.200192.168.2.4
                                                      Feb 23, 2021 17:47:15.707974911 CET44349746104.21.19.200192.168.2.4
                                                      Feb 23, 2021 17:47:15.708055973 CET49746443192.168.2.4104.21.19.200
                                                      Feb 23, 2021 17:47:15.720120907 CET49746443192.168.2.4104.21.19.200
                                                      Feb 23, 2021 17:47:15.761037111 CET44349746104.21.19.200192.168.2.4
                                                      Feb 23, 2021 17:47:15.761157036 CET44349746104.21.19.200192.168.2.4
                                                      Feb 23, 2021 17:47:15.894706964 CET49746443192.168.2.4104.21.19.200
                                                      Feb 23, 2021 17:47:16.124634981 CET49746443192.168.2.4104.21.19.200
                                                      Feb 23, 2021 17:47:16.165818930 CET44349746104.21.19.200192.168.2.4
                                                      Feb 23, 2021 17:47:16.176373959 CET44349746104.21.19.200192.168.2.4
                                                      Feb 23, 2021 17:47:16.300379038 CET49746443192.168.2.4104.21.19.200

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Feb 23, 2021 17:46:17.454483032 CET5372353192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:17.503448009 CET53537238.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:18.465976954 CET6464653192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:18.514651060 CET53646468.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:18.596849918 CET6529853192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:18.645673037 CET53652988.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:19.059184074 CET5912353192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:19.117706060 CET53591238.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:19.822237968 CET5453153192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:19.873717070 CET53545318.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:21.559057951 CET4971453192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:21.609155893 CET53497148.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:23.021130085 CET5802853192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:23.069884062 CET53580288.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:24.302784920 CET5309753192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:24.362678051 CET53530978.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:25.923446894 CET4925753192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:25.972177029 CET53492578.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:27.101850986 CET6238953192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:27.153682947 CET53623898.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:28.352952957 CET4991053192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:28.401815891 CET53499108.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:29.705750942 CET5585453192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:29.770699978 CET53558548.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:31.847505093 CET6454953192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:31.900166035 CET53645498.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:33.009524107 CET6315353192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:33.058171988 CET53631538.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:35.175245047 CET5299153192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:35.238220930 CET53529918.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:36.564374924 CET5370053192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:36.616409063 CET53537008.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:37.795241117 CET5172653192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:37.850491047 CET53517268.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:42.885940075 CET5679453192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:42.943049908 CET53567948.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:44.089695930 CET5653453192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:44.147047997 CET53565348.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:46.165170908 CET5662753192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:46.216825008 CET53566278.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:47.319994926 CET5662153192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:47.368875980 CET53566218.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:48.725441933 CET6311653192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:48.774477959 CET53631168.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:49.850008965 CET6407853192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:49.901560068 CET53640788.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:09.970807076 CET6480153192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:10.019479990 CET53648018.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:10.044681072 CET6172153192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:10.093497038 CET53617218.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:10.784713984 CET5125553192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:10.846333027 CET53512558.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:10.992858887 CET6152253192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:11.052777052 CET53615228.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:15.414294004 CET5233753192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:15.474364996 CET53523378.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:16.051832914 CET5504653192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:16.128154039 CET53550468.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:17.384895086 CET4961253192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:17.445041895 CET53496128.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:19.945775986 CET4928553192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:20.038868904 CET53492858.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:20.514960051 CET5060153192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:20.572122097 CET53506018.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:21.488823891 CET6087553192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:21.549582005 CET53608758.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:22.153453112 CET5644853192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:22.215020895 CET53564488.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:22.310942888 CET5917253192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:22.377717972 CET53591728.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:22.887278080 CET6242053192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:22.949532986 CET53624208.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:23.929455042 CET6057953192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:23.988411903 CET53605798.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:25.474884987 CET5018353192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:25.532162905 CET53501838.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:26.061750889 CET6153153192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:26.118860960 CET53615318.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:31.777206898 CET4922853192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:31.835905075 CET53492288.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:48:01.090235949 CET5979453192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:48:01.138968945 CET53597948.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:48:02.770982981 CET5591653192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:48:02.842902899 CET53559168.8.8.8192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Feb 23, 2021 17:47:09.970807076 CET192.168.2.48.8.8.80x54f0Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.044681072 CET192.168.2.48.8.8.80xd247Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:15.414294004 CET192.168.2.48.8.8.80xb3b6Standard query (0)freegeoip.appA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Feb 23, 2021 17:47:10.019479990 CET8.8.8.8192.168.2.40x54f0No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.019479990 CET8.8.8.8192.168.2.40x54f0No error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.019479990 CET8.8.8.8192.168.2.40x54f0No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.019479990 CET8.8.8.8192.168.2.40x54f0No error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.019479990 CET8.8.8.8192.168.2.40x54f0No error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.019479990 CET8.8.8.8192.168.2.40x54f0No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.093497038 CET8.8.8.8192.168.2.40xd247No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.093497038 CET8.8.8.8192.168.2.40xd247No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.093497038 CET8.8.8.8192.168.2.40xd247No error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.093497038 CET8.8.8.8192.168.2.40xd247No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.093497038 CET8.8.8.8192.168.2.40xd247No error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.093497038 CET8.8.8.8192.168.2.40xd247No error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:15.474364996 CET8.8.8.8192.168.2.40xb3b6No error (0)freegeoip.app104.21.19.200A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:15.474364996 CET8.8.8.8192.168.2.40xb3b6No error (0)freegeoip.app172.67.188.154A (IP address)IN (0x0001)

                                                      HTTP Request Dependency Graph

                                                      • checkip.dyndns.org

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      0192.168.2.449742162.88.193.7080C:\Users\user\Desktop\Delivery 9073782912,pdf.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Feb 23, 2021 17:47:10.515765905 CET1400OUTGET / HTTP/1.1
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                      Host: checkip.dyndns.org
                                                      Connection: Keep-Alive
                                                      Feb 23, 2021 17:47:10.647624016 CET1400INHTTP/1.1 200 OK
                                                      Content-Type: text/html
                                                      Server: DynDNS-CheckIP/1.0.1
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      Pragma: no-cache
                                                      Content-Length: 103
                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 33 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.38</body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      1192.168.2.449745162.88.193.7080C:\Users\user\Desktop\Delivery 9073782912,pdf.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Feb 23, 2021 17:47:11.302320004 CET1470OUTGET / HTTP/1.1
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                      Host: checkip.dyndns.org
                                                      Feb 23, 2021 17:47:11.437163115 CET1471INHTTP/1.1 200 OK
                                                      Content-Type: text/html
                                                      Server: DynDNS-CheckIP/1.0.1
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      Pragma: no-cache
                                                      Content-Length: 103
                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 33 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.38</body></html>


                                                      HTTPS Packets

                                                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                      Feb 23, 2021 17:47:15.707974911 CET104.21.19.200443192.168.2.449746CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 10 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Tue Aug 10 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                      CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                      Code Manipulations

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      Analysis Process: Delivery 9073782912,pdf.exe PID: 6980 Parent PID: 5960

                                                      General

                                                      Start time:17:46:24
                                                      Start date:23/02/2021
                                                      Path:C:\Users\user\Desktop\Delivery 9073782912,pdf.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\Desktop\Delivery 9073782912,pdf.exe'
                                                      Imagebase:0x7ffabd480000
                                                      File size:635392 bytes
                                                      MD5 hash:8B22F061055264B77361C6FE7941E25F
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      Chronological Activities

                                                      Analysis Process: Delivery 9073782912,pdf.exe PID: 6880 Parent PID: 6980

                                                      General

                                                      Start time:17:47:05
                                                      Start date:23/02/2021
                                                      Path:C:\Users\user\Desktop\Delivery 9073782912,pdf.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:{path}
                                                      Imagebase:0x7ffabd480000
                                                      File size:635392 bytes
                                                      MD5 hash:8B22F061055264B77361C6FE7941E25F
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      Chronological Activities

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >

                                                        Analysis Process: Delivery 9073782912,pdf.exe PID: 6980 Parent PID: 5960 Delivery 9073782912,pdf.exeCOMMON

                                                        Executed Functions

                                                        Function 031A4500, Relevance: 5.3, Strings: 4, Instructions: 308COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737089680.00000000031A0000.00000040.00000001.sdmp, Offset: 03110000, based on PE: true
                                                        • Associated: 00000000.00000002.736937568.0000000003110000.00000004.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID:
                                                        • String ID: .Zl$;#2I$KEkx$KEkx-(}
                                                        • API String ID: 0-2852947158
                                                        • Opcode ID: 46969815b3f759038562ca7383efdeea3b397ae79b93cf8058c460f091decb66
                                                        • Instruction ID: e6465bd6f3104301bbaeb38d7205c67d7870fc4649503505bb4fa046ef464f5a
                                                        • Opcode Fuzzy Hash: 46969815b3f759038562ca7383efdeea3b397ae79b93cf8058c460f091decb66
                                                        • Instruction Fuzzy Hash: B4D10A74E0460ADFCB08CFAAD5804AEFBB2FF8D341B158565C415AB364DB749982CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 031A30C0, Relevance: 3.9, Strings: 3, Instructions: 171COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737089680.00000000031A0000.00000040.00000001.sdmp, Offset: 03110000, based on PE: true
                                                        • Associated: 00000000.00000002.736937568.0000000003110000.00000004.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID:
                                                        • String ID: iV8$iV8$`}
                                                        • API String ID: 0-3551975735
                                                        • Opcode ID: ec9489cbf4ec26101ac1c80d7f0865827b6ddf1bd3cad3e081f00be9bf6358bd
                                                        • Instruction ID: ee11374180d5c03f47619a609ea16d971075a8378e2fecad85dc27f11d8c6f48
                                                        • Opcode Fuzzy Hash: ec9489cbf4ec26101ac1c80d7f0865827b6ddf1bd3cad3e081f00be9bf6358bd
                                                        • Instruction Fuzzy Hash: 1C711878E0560ADFCB08CF99D581AEEFBB2FB89311F15842AD515A7314D7349A81CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 031A2C28, Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737089680.00000000031A0000.00000040.00000001.sdmp, Offset: 03110000, based on PE: true
                                                        • Associated: 00000000.00000002.736937568.0000000003110000.00000004.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 9jwB$dNT!
                                                        • API String ID: 0-642800322
                                                        • Opcode ID: f55c00f344198431dc126d9203de29f5e7a44a845639db44c7be6d1978dda98e
                                                        • Instruction ID: 806dbcbff5edfa9e3e9d18a988531ee46626b640fc6c09f12ea3d84256f7bbae
                                                        • Opcode Fuzzy Hash: f55c00f344198431dc126d9203de29f5e7a44a845639db44c7be6d1978dda98e
                                                        • Instruction Fuzzy Hash: 95511774E046198FDB08CFAAC9405AEFBF2BF8C301F15D56AD419A7269D7348942CB68
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 031A1750, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 031A17EC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737089680.00000000031A0000.00000040.00000001.sdmp, Offset: 03110000, based on PE: true
                                                        • Associated: 00000000.00000002.736937568.0000000003110000.00000004.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: CheckDebuggerPresentRemote
                                                        • String ID:
                                                        • API String ID: 3662101638-0
                                                        • Opcode ID: 34480fe167391fb401c8cdc770540500e357d4334545288ed75195848d28436d
                                                        • Instruction ID: 1f17c7c6431db1b2b4c8270fead83dc83d6bb434177f7d62408f0ab5b5d4c170
                                                        • Opcode Fuzzy Hash: 34480fe167391fb401c8cdc770540500e357d4334545288ed75195848d28436d
                                                        • Instruction Fuzzy Hash: A841BBB9D04258DFCB00CFA9D484AEEFBF4BB09314F14906AE415B7250D738AA85CF64
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 031A0500, Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737089680.00000000031A0000.00000040.00000001.sdmp, Offset: 03110000, based on PE: true
                                                        • Associated: 00000000.00000002.736937568.0000000003110000.00000004.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID:
                                                        • String ID: <
                                                        • API String ID: 0-4251816714
                                                        • Opcode ID: 4604eae86b206476c7a10cd23341e21c16de356f47797b02d0f4b94d4171a093
                                                        • Instruction ID: f3e2b3053278793ce2776530f8ac1bb1df6f6a7582593eb5e8d2f7d71b897e8c
                                                        • Opcode Fuzzy Hash: 4604eae86b206476c7a10cd23341e21c16de356f47797b02d0f4b94d4171a093
                                                        • Instruction Fuzzy Hash: FE51B475E046189FDB58CFAAC9506DDBBF2AF8D304F14C0AAD51DAB224EB305A85CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 08434944, Relevance: .3, Instructions: 341COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.745923648.0000000008430000.00000040.00000001.sdmp, Offset: 08430000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d99f70b4c5551a55cfd096540f5ef573a47c622dee246e2687cfa4a9e9d3f6e1
                                                        • Instruction ID: f9e2e4bc6c3f996d43ba7537815850b2f0d7d0fb68403e338571112f416a43d6
                                                        • Opcode Fuzzy Hash: d99f70b4c5551a55cfd096540f5ef573a47c622dee246e2687cfa4a9e9d3f6e1
                                                        • Instruction Fuzzy Hash: 63E12B74E00358DFCB14DFA5C844AAEBBB5FF89304F1481AAE849A7311EB71A985CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0331AB4C, Relevance: .2, Instructions: 233COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c97d1895611345a2f9f6030f579445340a3a8239a05d732bd0dbca621f4e7eb3
                                                        • Instruction ID: 702924dd6bb1c3766e8df977ad63d1edca4f986ca8b3775102a85cfb81781ef9
                                                        • Opcode Fuzzy Hash: c97d1895611345a2f9f6030f579445340a3a8239a05d732bd0dbca621f4e7eb3
                                                        • Instruction Fuzzy Hash: B791B274E00319CFCB04DFA1C8949EEB7BAFF89304F158619E415AB7A4EB34A995CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0331C0D8, Relevance: .2, Instructions: 198COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f9238fe74bc3733f7127197f88e11a8c22dbc487d92b1083db158d3e2aa8e5c1
                                                        • Instruction ID: 42c7f2d9a21aaa097e5b53ce20dda4940139529b6e5bf235bfaa1b13d546bbcb
                                                        • Opcode Fuzzy Hash: f9238fe74bc3733f7127197f88e11a8c22dbc487d92b1083db158d3e2aa8e5c1
                                                        • Instruction Fuzzy Hash: 9381A075E003198FCB04DBE1D8949DEB7BAFF89300F258615E415AB6A4EB30A995CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 031A24D8, Relevance: .2, Instructions: 183COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737089680.00000000031A0000.00000040.00000001.sdmp, Offset: 03110000, based on PE: true
                                                        • Associated: 00000000.00000002.736937568.0000000003110000.00000004.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bdbb987652360e472e1b8b1a6ed2247a1d69e50a6c16991a69ce6193fcada53d
                                                        • Instruction ID: 82c54c2416f752153330ffff8cf7fe109d6138e5148eb72d37036fbf891156b9
                                                        • Opcode Fuzzy Hash: bdbb987652360e472e1b8b1a6ed2247a1d69e50a6c16991a69ce6193fcada53d
                                                        • Instruction Fuzzy Hash: 2081B174E016188FDB08CFEAD9946DEBBB2FF88300F14852AD919AB364D7345946CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 03312230, Relevance: .1, Instructions: 143COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f2803582369d31387d629bd94d96a248140389d23f78ec36576a7c689c9ecd6a
                                                        • Instruction ID: d1cb21c9792daec955ff28fae58a6d7d3c032662960f59c5552b20d61d21171d
                                                        • Opcode Fuzzy Hash: f2803582369d31387d629bd94d96a248140389d23f78ec36576a7c689c9ecd6a
                                                        • Instruction Fuzzy Hash: 41513F74E05209DFCB48DFA9D5819EEF7B2FF89300F1089AAC415AB364D730AA52CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 03312240, Relevance: .1, Instructions: 139COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7fb1d88629a5fa7c2cf3d9e6e1a0a540461f6b7e50ca017372b87dbdc92acea3
                                                        • Instruction ID: c10139067adc47499d71e43c3f6501c5c9e63ba8c9b46b33291ba06e81f29ae6
                                                        • Opcode Fuzzy Hash: 7fb1d88629a5fa7c2cf3d9e6e1a0a540461f6b7e50ca017372b87dbdc92acea3
                                                        • Instruction Fuzzy Hash: E1514374E05209DFCB48DFA9D5819AEF7B2FF89300F5089AAC415EB364D730AA51CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0843E13C, Relevance: .1, Instructions: 99COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.745923648.0000000008430000.00000040.00000001.sdmp, Offset: 08430000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 82a6a7bbd94c846f4c04bd92ef101b7eb4eaf396ac93195c55ace9116b507f96
                                                        • Instruction ID: ed2c77ea1638d6aee1011c638c569d760b0ea38346a14fd6223675121f941683
                                                        • Opcode Fuzzy Hash: 82a6a7bbd94c846f4c04bd92ef101b7eb4eaf396ac93195c55ace9116b507f96
                                                        • Instruction Fuzzy Hash: 6541C8B4D462489FDB10CFA9C984BDEFBF0AB0A314F20912AE415BB750C7759949CF54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0843D9E4, Relevance: .1, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.745923648.0000000008430000.00000040.00000001.sdmp, Offset: 08430000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6e2a3456ca5082aefef2d04903d582d36a6473bda6f53c6c23d2a8374c8baba1
                                                        • Instruction ID: c27a69e0a701210fb58ead446ce3a9f985ffbfe782020d9f177527cebf239cd9
                                                        • Opcode Fuzzy Hash: 6e2a3456ca5082aefef2d04903d582d36a6473bda6f53c6c23d2a8374c8baba1
                                                        • Instruction Fuzzy Hash: 8741A7B4D05218DFDB10CFA9C984B9EBBF0AB09304F20912AE415BB750CB75A949CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 031A3628, Relevance: .1, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737089680.00000000031A0000.00000040.00000001.sdmp, Offset: 03110000, based on PE: true
                                                        • Associated: 00000000.00000002.736937568.0000000003110000.00000004.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2ad7eeeb91f54d1b71ae56ba91b563b52826ef8a618ee6a5592a42e9a3a66bc9
                                                        • Instruction ID: cda8bfe0e998ee805f0df031767e5a4261959c1cfb194d846c38c7ae8dbb8264
                                                        • Opcode Fuzzy Hash: 2ad7eeeb91f54d1b71ae56ba91b563b52826ef8a618ee6a5592a42e9a3a66bc9
                                                        • Instruction Fuzzy Hash: E3310475E006188BDB58CFAAD8447DEFBB3AFC8311F14C16AD409AA368DB745A45CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0843E5CF, Relevance: .1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.745923648.0000000008430000.00000040.00000001.sdmp, Offset: 08430000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0088f68aec65a768aea1249f404c0f4ddb3fee5f65626b1314a6b00448bed314
                                                        • Instruction ID: bc9ad1c35e1957f7aeb73b61d264034b90f6875c52ddf16aaf8a8479c28a2319
                                                        • Opcode Fuzzy Hash: 0088f68aec65a768aea1249f404c0f4ddb3fee5f65626b1314a6b00448bed314
                                                        • Instruction Fuzzy Hash: 5621A0B4D012189FCB14CFAAD4446EEBBF1AB49311F10E12AE824B7350D7349645CF58
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0843E5D8, Relevance: .1, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.745923648.0000000008430000.00000040.00000001.sdmp, Offset: 08430000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 04461776910d820ab2ff479be6b271a22327e343501df1878f5246d57c47f5f8
                                                        • Instruction ID: 379c53c81ec62a2cfe09277479c05abdc8c1a337f841746442660b01c5808ba4
                                                        • Opcode Fuzzy Hash: 04461776910d820ab2ff479be6b271a22327e343501df1878f5246d57c47f5f8
                                                        • Instruction Fuzzy Hash: F0219FB4D01218DFDB14CFAAD4446EEBBF1AB49351F20E12AE824B7350D7349A45CF98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 033150D0, Relevance: 1.7, APIs: 1, Instructions: 226COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(?), ref: 03315342
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: 2cbed9ad5f154f4c28432c1ab11404de5b19151b9f7b0fc6077acf94defc9ee8
                                                        • Instruction ID: df3674290f803c668312b13c7370fa2d37539f9745cd48b2daee19e23dec75dd
                                                        • Opcode Fuzzy Hash: 2cbed9ad5f154f4c28432c1ab11404de5b19151b9f7b0fc6077acf94defc9ee8
                                                        • Instruction Fuzzy Hash: 58911670A007098FDB68CF6AD88479ABBF5FF89304F14892AE446E7B50D734A855CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0331AAE0, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0331BE79
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: 2363cfd6e967ce629cd66f6ab3243d370ec5fb6adc74c13c951be696ce8724f1
                                                        • Instruction ID: bfb5ae8bee77abdad67ad6a5c208a4b42e302d140650435336fc87f64f5f5c61
                                                        • Opcode Fuzzy Hash: 2363cfd6e967ce629cd66f6ab3243d370ec5fb6adc74c13c951be696ce8724f1
                                                        • Instruction Fuzzy Hash: 7381BDB4D042589FCB24CFA9C884BDEFBF1BB0A304F1491AAE508AB221D7349985CF54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0331BCAC, Relevance: 1.7, APIs: 1, Instructions: 187COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0331BE79
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: 8cb3d654b7756a583507e36b92af1984ad30497dac49513e5b889e11fcada1ba
                                                        • Instruction ID: 4d12707b9dfc0c8fcf987f7ccf5a7286457e1e7eccb4f22c22e4e7a9ba112e59
                                                        • Opcode Fuzzy Hash: 8cb3d654b7756a583507e36b92af1984ad30497dac49513e5b889e11fcada1ba
                                                        • Instruction Fuzzy Hash: 92719AB4D002589FDF24CFA9D984BDEFBB1BB09304F2491AAE908A7221D7349985CF55
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0331AAFC, Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0331BE79
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: ea3527d7aebac7cdee30a14e55015a14eac84545a02abcc961926d684803f6cf
                                                        • Instruction ID: a20a9ee437304c6d224d37f031687573e467a79d83d668b3be12a2cee5ef045c
                                                        • Opcode Fuzzy Hash: ea3527d7aebac7cdee30a14e55015a14eac84545a02abcc961926d684803f6cf
                                                        • Instruction Fuzzy Hash: 11718AB4D002189FDF24CFA9D984BDEFBF1BB09304F1491AAE918A7221D7349A85CF54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 03310605, Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 03310701
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: 28e925f78309b403ea58d4b8ec94029e212fd10f6a50ccddcf0a574a7bb1e111
                                                        • Instruction ID: 7d4c43106ae66981bd03416d8ee264a3234c0b4d584533da1370fb4b2aa9071b
                                                        • Opcode Fuzzy Hash: 28e925f78309b403ea58d4b8ec94029e212fd10f6a50ccddcf0a574a7bb1e111
                                                        • Instruction Fuzzy Hash: 81510671D0422C8FDB24DFA4C880BCEBBF5BF59304F1180A9D549AB251DB756A89CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 03310610, Relevance: 1.6, APIs: 1, Instructions: 123COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 03310701
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: b546b6e39c9db460874e2f10a7c70c131d8a0ad321f9a7348cc10899f77ca86f
                                                        • Instruction ID: a7a8b955a7540fdd480a04cfba8ff5fc93478ed362be1ae4006577881b220fbc
                                                        • Opcode Fuzzy Hash: b546b6e39c9db460874e2f10a7c70c131d8a0ad321f9a7348cc10899f77ca86f
                                                        • Instruction Fuzzy Hash: AC51F671D0422C8FDB24DFA4C880BCEBBF5BF49304F1180A9D549AB250DB756A89CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 03317720, Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 033177F3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 071847bf6da154c4b9a90d18da3fcec6d23a40c5325822caea06d9a2f8d7f52a
                                                        • Instruction ID: fe105a3f47858da2e0984de2f718d84a63aefcb49c5d235130de3acf358714ec
                                                        • Opcode Fuzzy Hash: 071847bf6da154c4b9a90d18da3fcec6d23a40c5325822caea06d9a2f8d7f52a
                                                        • Instruction Fuzzy Hash: A44177B9D002589FCB00CFA9D984ADEBBF5BB09310F18906AE918BB310D375A955CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 033168AC, Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 033177F3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 914660bb9191494636fa8d454bb315cbdad53a511940edbf6dbcc4314085d4f5
                                                        • Instruction ID: b7997f05099517c3704b2e95e903ffbc18576ab31526bae252e309aabfd6838d
                                                        • Opcode Fuzzy Hash: 914660bb9191494636fa8d454bb315cbdad53a511940edbf6dbcc4314085d4f5
                                                        • Instruction Fuzzy Hash: 874176B9D042589FCF00CFA9D984ADEBBF5BB09310F14906AE918BB310D375A955CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 033155B9, Relevance: 1.6, APIs: 1, Instructions: 98libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNELBASE(?,?,?), ref: 0331566A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 8a10faff6a68a2fc271b1674668c719ba56b0acb99eba0fefb9e163a36e5d8da
                                                        • Instruction ID: 76837ae4096d00028f3aefcf0d7f95b86cee44f982cc87f1310588bad48f706c
                                                        • Opcode Fuzzy Hash: 8a10faff6a68a2fc271b1674668c719ba56b0acb99eba0fefb9e163a36e5d8da
                                                        • Instruction Fuzzy Hash: 284196B8D002589FDB14CFA9D884ADEFBF5BB49310F14902AE914B7320D334A946CFA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 03314B58, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNELBASE(?,?,?), ref: 0331566A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 7a0bbc19731023b90c2a9c0f6d85f8f7b79791d066bc2c8e53347cacc5c53b3f
                                                        • Instruction ID: bfcd2318f1fdec1417af12996425eb57141f84b02cc226a5c0a1e69f19e97186
                                                        • Opcode Fuzzy Hash: 7a0bbc19731023b90c2a9c0f6d85f8f7b79791d066bc2c8e53347cacc5c53b3f
                                                        • Instruction Fuzzy Hash: 724198B8D042589FDB14CFA9D884A9EFBF5BB49310F14902AE914B7320D334A945CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0331AC4C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 0331E4E1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID: CallProcWindow
                                                        • String ID:
                                                        • API String ID: 2714655100-0
                                                        • Opcode ID: cca4405db7a432ff71866389b302d173eec463828b4145ef6a13ea464c838a73
                                                        • Instruction ID: 47b34ce5bfeaa8f917c8beb6b65dda86b6bdf5bf0cb026888f08d967263335e2
                                                        • Opcode Fuzzy Hash: cca4405db7a432ff71866389b302d173eec463828b4145ef6a13ea464c838a73
                                                        • Instruction Fuzzy Hash: 214119B4900209CFCB14CF99C888AABFBF5FB89314F25C459D919AB321D775A951CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 031A1870, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 031A1917
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737089680.00000000031A0000.00000040.00000001.sdmp, Offset: 03110000, based on PE: true
                                                        • Associated: 00000000.00000002.736937568.0000000003110000.00000004.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID:
                                                        • API String ID: 544645111-0
                                                        • Opcode ID: ab53bfbbdfb8e49f84cb83a7a57bf8cd70f72557e827b274f79f37d544c33c47
                                                        • Instruction ID: 04b0e3381978ec6527a9fba3897fc76f83ac55dd97436a3cc264969dafe88e99
                                                        • Opcode Fuzzy Hash: ab53bfbbdfb8e49f84cb83a7a57bf8cd70f72557e827b274f79f37d544c33c47
                                                        • Instruction Fuzzy Hash: 483197B9D04258AFCB10CFA9D984ADEFBB1BB09314F14902AE815B7210D734AA45CF64
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 033152B0, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(?), ref: 03315342
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: ba222d527b399eeb549664e85214ff177dd6b1a28bec21dcb08672759a517120
                                                        • Instruction ID: ecf18de1ebda56ae3e027c26f366eb1eaf42226d95f5c1e8643366a1fc23a2f3
                                                        • Opcode Fuzzy Hash: ba222d527b399eeb549664e85214ff177dd6b1a28bec21dcb08672759a517120
                                                        • Instruction Fuzzy Hash: 7431BBB4D002599FDB14CFA9D884ADEFBF5BB49314F18906AE814B7310D374A945CFA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 033156C9, Relevance: 1.6, APIs: 1, Instructions: 59libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNELBASE(?,?,?), ref: 0331566A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: a975ff25a38ee3c7766e22ecf0cd2917f6db3579096b4360b4f1bc109aea278b
                                                        • Instruction ID: 7c518619fbc25e576b56f4498fefe8a74c2c4d5bbee4a4c326d7c0e57a12c814
                                                        • Opcode Fuzzy Hash: a975ff25a38ee3c7766e22ecf0cd2917f6db3579096b4360b4f1bc109aea278b
                                                        • Instruction Fuzzy Hash: 4B1197B4D152089FDB10CBA8E880ACDFBF4EF4A324F04905AE404B3210C3716815CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0843F5E0, Relevance: .2, Instructions: 192COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.745923648.0000000008430000.00000040.00000001.sdmp, Offset: 08430000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 84a568d10c86fda46b388dd299451bc991c5874e9f8cf85a26241750aa1ae991
                                                        • Instruction ID: 8e28934fbd02bb3409fe90057c88fd8dcf9c27b7bd6a8974aac74d3d70c18a90
                                                        • Opcode Fuzzy Hash: 84a568d10c86fda46b388dd299451bc991c5874e9f8cf85a26241750aa1ae991
                                                        • Instruction Fuzzy Hash: 159108349107599ECB14DF64C840BAEBBB1FF89304F14819AE849A7311EB71AA86CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0843FED0, Relevance: .1, Instructions: 139COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.745923648.0000000008430000.00000040.00000001.sdmp, Offset: 08430000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 35452b25c11c1d11a74c7abd689d5b02db3ac062ac2aca58e3d7119126d3cf1c
                                                        • Instruction ID: 2e2dbed3cd2c2f6cea94cee38a3744a71d7d81f847a478b5cd50df32725d9ebe
                                                        • Opcode Fuzzy Hash: 35452b25c11c1d11a74c7abd689d5b02db3ac062ac2aca58e3d7119126d3cf1c
                                                        • Instruction Fuzzy Hash: 02E02632D14274CFC300A7A8F0047957368D705222F03806BE62883203DB68EC848380
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0843F1DC, Relevance: .1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.745923648.0000000008430000.00000040.00000001.sdmp, Offset: 08430000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 308c172a28de3dc17fcb1d1581c55c671c6a5a3a3d1809637fd91fdabda47873
                                                        • Instruction ID: f309fc2fa034860c48ef9102480b00ebbf0c315871ecd64bc4113acb7019b147
                                                        • Opcode Fuzzy Hash: 308c172a28de3dc17fcb1d1581c55c671c6a5a3a3d1809637fd91fdabda47873
                                                        • Instruction Fuzzy Hash: BD1129356083608FC701AB78F8544BB7BB5EB86205718849FD489CB253DB39D80AC750
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0843E6B0, Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.745923648.0000000008430000.00000040.00000001.sdmp, Offset: 08430000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9e923c02dd95d90c5c45ccea837506d6577a8c21da2c2b3a5d0011e40cdb2d41
                                                        • Instruction ID: 4cd8f8e471deb8bcaefb2d1a28b047ad27a776491657434297ebe86de3bfbcb5
                                                        • Opcode Fuzzy Hash: 9e923c02dd95d90c5c45ccea837506d6577a8c21da2c2b3a5d0011e40cdb2d41
                                                        • Instruction Fuzzy Hash: B6E03972B041246F5318DB6AE884C6BBBEEEBCD674351813AF508CB310DA309C0186A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 031A5408, Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737089680.00000000031A0000.00000040.00000001.sdmp, Offset: 03110000, based on PE: true
                                                        • Associated: 00000000.00000002.736937568.0000000003110000.00000004.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID:
                                                        • String ID: GM
                                                        • API String ID: 0-3089447204
                                                        • Opcode ID: 82b4307e39c8763e8a0f4951561758799cd0cd41dd2ac8b0c8e925beaf82d5d3
                                                        • Instruction ID: 16da674b101663c799df6735cd0c6afe3e2f47ecb293f1b4e73ba3e3d2f2e861
                                                        • Opcode Fuzzy Hash: 82b4307e39c8763e8a0f4951561758799cd0cd41dd2ac8b0c8e925beaf82d5d3
                                                        • Instruction Fuzzy Hash: D6811434E15609DFCB48CF99D58499EFBF2FF89311F15856AE819AB220E730AA41CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 08434864, Relevance: .9, Instructions: 931COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.745923648.0000000008430000.00000040.00000001.sdmp, Offset: 08430000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 46da05cada22184500404967b266cd86778953c7cb7c006dd3e5dd1814a17985
                                                        • Instruction ID: 68e8615aa79886dcddaa4f37985c44fa3b80591538380d439e3b3e47ad2b0f9f
                                                        • Opcode Fuzzy Hash: 46da05cada22184500404967b266cd86778953c7cb7c006dd3e5dd1814a17985
                                                        • Instruction Fuzzy Hash: 97A20735E002598FCB15EF68C8946EDB7B1FF89304F1482A9D90AA7351EB746E85CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0331A0B0, Relevance: .3, Instructions: 315COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5e69e829a51380d3d4f020cbc0aec1073f66c2e9dfb420a9ceccc98348ffba8d
                                                        • Instruction ID: c936a6dcfb28a35a33181263b67a3c0e6f4e84d40688075e6ea1c352a8c3b35d
                                                        • Opcode Fuzzy Hash: 5e69e829a51380d3d4f020cbc0aec1073f66c2e9dfb420a9ceccc98348ffba8d
                                                        • Instruction Fuzzy Hash: 6412A9F9C017458BF710EF65E5C82893BA9F746318F908208D2616F6E9DFB4298ACF44
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0843EC28, Relevance: .3, Instructions: 273COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.745923648.0000000008430000.00000040.00000001.sdmp, Offset: 08430000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2b4973eb7f8b0a58a4079eb2495c9c9473942d2e842b0eacb1a8916b02d6ce22
                                                        • Instruction ID: 71105a5f21c5d88e6d3fec32d4d7a4406060facf1f4030814450e1d1bc429c03
                                                        • Opcode Fuzzy Hash: 2b4973eb7f8b0a58a4079eb2495c9c9473942d2e842b0eacb1a8916b02d6ce22
                                                        • Instruction Fuzzy Hash: 72D1E531C2075A9ACB10EFA4D994ADDB3B1FF99300F518B9AD14977260EB706AC4CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 033180E4, Relevance: .3, Instructions: 265COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a946b6e6748647f7dc0e07e451ae1758970412b68c0f1dc04622918e5ce3993c
                                                        • Instruction ID: 12eabff9bffb10cdfd05685411ba2024459cc2fafb821f028b4a707f019e48d1
                                                        • Opcode Fuzzy Hash: a946b6e6748647f7dc0e07e451ae1758970412b68c0f1dc04622918e5ce3993c
                                                        • Instruction Fuzzy Hash: E1A18F36E0021ACFCF09DFA5C8845DEB7B6FF85300B15856AE905AF221EB75E955CB80
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0843EC38, Relevance: .3, Instructions: 264COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.745923648.0000000008430000.00000040.00000001.sdmp, Offset: 08430000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a5d6ffc4cd779038818139ebcb610f5717e23524ca245454103f31715c4a0c59
                                                        • Instruction ID: 90eccc74928ea913b987726cadb4942f23c98049b6c86f9d067bd36f4d1d7fe1
                                                        • Opcode Fuzzy Hash: a5d6ffc4cd779038818139ebcb610f5717e23524ca245454103f31715c4a0c59
                                                        • Instruction Fuzzy Hash: D0D1E531C2075A9ACB10EFA4D990ADDB3B1FF99300F518B9AD14977260EB706AC4CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0331A0A0, Relevance: .2, Instructions: 223COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8e1c362c08c62691d6ed928a51b3fc3c891039d7e5541028c459ba961d60d31b
                                                        • Instruction ID: f32eaf0c0aaa61604f03d6149d1c1e9540771e0022ef157bc1a8aa6bb7ac4b57
                                                        • Opcode Fuzzy Hash: 8e1c362c08c62691d6ed928a51b3fc3c891039d7e5541028c459ba961d60d31b
                                                        • Instruction Fuzzy Hash: 67C11BB9C117458BF710EF65E8C82897B79FB86318F518209D2616B6D8DFB4388ACF44
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 031A1980, Relevance: .1, Instructions: 127COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737089680.00000000031A0000.00000040.00000001.sdmp, Offset: 03110000, based on PE: true
                                                        • Associated: 00000000.00000002.736937568.0000000003110000.00000004.00000001.sdmp Download File
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d59ebcbf77b55c92ecc758557a6216b961552f88d8bab8a4875fc4df226faba3
                                                        • Instruction ID: f0ae2e050266109ccfb14c9bd603613a66a7fea61742e9e89054d8f1257186c3
                                                        • Opcode Fuzzy Hash: d59ebcbf77b55c92ecc758557a6216b961552f88d8bab8a4875fc4df226faba3
                                                        • Instruction Fuzzy Hash: 3A510774E046589FEB18CF6AC940A8EF7F3BF89216F09C1A6C50CAB215D7309A81CF55
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0331CB88, Relevance: .1, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 073a39434208d6e801e2b0335125647dd6726e99668ff308b37167831aec1b13
                                                        • Instruction ID: 18f4c18b995058727e642fc3ff18e106d808a0a5aef34066c9d12947904b6478
                                                        • Opcode Fuzzy Hash: 073a39434208d6e801e2b0335125647dd6726e99668ff308b37167831aec1b13
                                                        • Instruction Fuzzy Hash: 8C319BB5D012589FCB14CFA9D984ADEFBF1BB49314F24A06AE815B7310D334A946CF54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0331AB94, Relevance: .1, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.737250805.0000000003310000.00000040.00000001.sdmp, Offset: 03310000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8fe6e9045b5b1e1743561cd7ca377f37bc66fdd0c863344db56fcca5d4f872a6
                                                        • Instruction ID: fd6883d1412abff651939ac838fbc1e3bdd41ffa87e344f40d1edd56cde74458
                                                        • Opcode Fuzzy Hash: 8fe6e9045b5b1e1743561cd7ca377f37bc66fdd0c863344db56fcca5d4f872a6
                                                        • Instruction Fuzzy Hash: 423199B8D012589FCB14CFA9E984ADEFBF5BB49310F24A02AE815B7310D734A945CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0843E2AC, Relevance: .1, Instructions: 74COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.745923648.0000000008430000.00000040.00000001.sdmp, Offset: 08430000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9bd3ff4dfb5fcc9bacc450c638614d5872904e15ada3551e606fc932356939ce
                                                        • Instruction ID: 65ff9b3b90788b272cf5dfb2d46008e0059e61ac03e97cd4ffdba64bde30815f
                                                        • Opcode Fuzzy Hash: 9bd3ff4dfb5fcc9bacc450c638614d5872904e15ada3551e606fc932356939ce
                                                        • Instruction Fuzzy Hash: 25318BB4D06218EFDB14CFA9D484AEEBBB2BF49310F24A12AE814B7350D3349985CF54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0843E2B8, Relevance: .1, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.745923648.0000000008430000.00000040.00000001.sdmp, Offset: 08430000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ab49005d514628ded739ef81d29d0f894ba1e38c4d21780d4aac77ef9d8f37f7
                                                        • Instruction ID: af27edd8ed4750adaf0405aa113aa0bc7f0311ed09abdb790cf837ce6e1a3dd1
                                                        • Opcode Fuzzy Hash: ab49005d514628ded739ef81d29d0f894ba1e38c4d21780d4aac77ef9d8f37f7
                                                        • Instruction Fuzzy Hash: 14316CB4D06218EFCB14CFA9D884AEEBBF2BB89351F24912AE814B7350D7349941CF54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0843E504, Relevance: .0, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.745923648.0000000008430000.00000040.00000001.sdmp, Offset: 08430000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fb8a77940f2f41acda2661e50c344cc6f76b8d8f5fe12a1ac1171377957e35e9
                                                        • Instruction ID: 18b796649effba841d31f006c82b31a2113443f8b02cd822fc3a8eed6c6784a5
                                                        • Opcode Fuzzy Hash: fb8a77940f2f41acda2661e50c344cc6f76b8d8f5fe12a1ac1171377957e35e9
                                                        • Instruction Fuzzy Hash: 5901AFB5D052089F8F04DFA9D5418EEFBF2AF9A310F14A16AE804B7310E7349911CFA9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0843E510, Relevance: .0, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.745923648.0000000008430000.00000040.00000001.sdmp, Offset: 08430000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
                                                        • Instruction ID: 4a33bcb410b17c6dfad90372bc87e98b64cba1b5cd91efa23c32ca874a64dcea
                                                        • Opcode Fuzzy Hash: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
                                                        • Instruction Fuzzy Hash: 1DF03FB5D052089B8F04DFA9D5418EEFBF2AB5A310F10A16AE814B3310E73599518FA8
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Analysis Process: Delivery 9073782912,pdf.exe PID: 6880 Parent PID: 6980 Delivery 9073782912,pdf.exeCOMMON

                                                        Executed Functions

                                                        Function 061D1C50, Relevance: 3.4, APIs: 2, Instructions: 398libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LdrInitializeThunk.NTDLL ref: 061D1C6F
                                                        • KiUserExceptionDispatcher.NTDLL(00000000), ref: 061D215E
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.913892478.00000000061D0000.00000040.00000001.sdmp, Offset: 061D0000, based on PE: false
                                                        Similarity
                                                        • API ID: DispatcherExceptionInitializeThunkUser
                                                        • String ID:
                                                        • API String ID: 243558500-0
                                                        • Opcode ID: 597ca6ea185c7be1bb4d78f33a8694b1b94473fd362675094a2b792c0de8e28f
                                                        • Instruction ID: b89d918aa372de466fabb9702ffba4a044d8c8cd43528625179dfec9ed12e1bb
                                                        • Opcode Fuzzy Hash: 597ca6ea185c7be1bb4d78f33a8694b1b94473fd362675094a2b792c0de8e28f
                                                        • Instruction Fuzzy Hash: D2F18B70E002189FDB14DFA4C894B9EBBF2BF88304F25C529D515AB385DB75AD46CB80
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 061D4FF0, Relevance: 2.0, APIs: 1, Instructions: 547COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 061D53B2
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.913892478.00000000061D0000.00000040.00000001.sdmp, Offset: 061D0000, based on PE: false
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: fdd732456e7ec1e5dbadbe3ca7eb971be74b4ca9d17c1ef632c03faffc2382ca
                                                        • Instruction ID: 468612b7968d7eb2f98b59efc63c4b262c80aabc5aecb1926ada0209c761d3c9
                                                        • Opcode Fuzzy Hash: fdd732456e7ec1e5dbadbe3ca7eb971be74b4ca9d17c1ef632c03faffc2382ca
                                                        • Instruction Fuzzy Hash: 4A228D34F042089FEB24EBB4C8597AEBAE3AF89700F14C469E51ADB790DF749845CB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 061D08A8, Relevance: 1.9, APIs: 1, Instructions: 429libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.913892478.00000000061D0000.00000040.00000001.sdmp, Offset: 061D0000, based on PE: false
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 731740f7a2159b6e8d499ef92426208330405d45885838bc8eeb64d2aeed8401
                                                        • Instruction ID: d329d56aef1c7b338f3eaffa6f40d8526399872b9a2b15cb4bf450e00925948e
                                                        • Opcode Fuzzy Hash: 731740f7a2159b6e8d499ef92426208330405d45885838bc8eeb64d2aeed8401
                                                        • Instruction Fuzzy Hash: ADF15B31E002198FDB54EFB9D8547AEB7F6AF89306F15856AE009EB390DF349881CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 061D4F90, Relevance: 1.9, APIs: 1, Instructions: 408COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 061D53B2
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.913892478.00000000061D0000.00000040.00000001.sdmp, Offset: 061D0000, based on PE: false
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: 97a18eb774be277eba19f11cd9b510571893d082731a6aed04d24ea1c9e7ace3
                                                        • Instruction ID: 56f2ed875bbe49d8abcf803e3a392a5ec1d0914f5a8c11282a347e60eda2a14d
                                                        • Opcode Fuzzy Hash: 97a18eb774be277eba19f11cd9b510571893d082731a6aed04d24ea1c9e7ace3
                                                        • Instruction Fuzzy Hash: 7DE1CE34B042089FEB14EBB4C8593AEBAE7AF89700F148429E51ADB790DF749C46CB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 061D0622, Relevance: 2.0, APIs: 1, Instructions: 452libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.913892478.00000000061D0000.00000040.00000001.sdmp, Offset: 061D0000, based on PE: false
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 0ecc8587b938a20c09bb215dda4729bc53b483efa0431766ac76439b696f5563
                                                        • Instruction ID: 3269ce8215818873ca1ba9cf93698c194be8fba3ce65045a15a47f8f095ac767
                                                        • Opcode Fuzzy Hash: 0ecc8587b938a20c09bb215dda4729bc53b483efa0431766ac76439b696f5563
                                                        • Instruction Fuzzy Hash: 7DF1C034F092458FD755DB7888547AE7BF2AF8A306F1584AAD049DB7A2DB38CC46CB00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0103DD41, Relevance: 1.8, APIs: 1, Instructions: 319COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.911634062.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3b045d36d4dddde3e3d9d159b63b04dce20d0bbc3271186c6d04dbb09a2a0ce9
                                                        • Instruction ID: abc5c314228bdc8b166a82054b49339b16e22b28ab724504b560e1d064ca709c
                                                        • Opcode Fuzzy Hash: 3b045d36d4dddde3e3d9d159b63b04dce20d0bbc3271186c6d04dbb09a2a0ce9
                                                        • Instruction Fuzzy Hash: 86D13534A10205CFF718AB75E91E7A97FB2AF84306F148929F166D72A1CF748C89DB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 061D1BB0, Relevance: 1.6, APIs: 1, Instructions: 138libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.913892478.00000000061D0000.00000040.00000001.sdmp, Offset: 061D0000, based on PE: false
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 7611020ec146ba785fcf447a84e5d2fc05c74193797af70a88253a8d8ab7c9ad
                                                        • Instruction ID: 2dc97ed1dfd37d83c8d2404a9b17aba44c8587d6da0f6a02302c6004f22a58bd
                                                        • Opcode Fuzzy Hash: 7611020ec146ba785fcf447a84e5d2fc05c74193797af70a88253a8d8ab7c9ad
                                                        • Instruction Fuzzy Hash: 3451BC70E092489FDB15DBB8C8547DEBBF2AF85304F1581AAD454AB392DB79DC06CB80
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0103E138, Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0103E14B
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.911634062.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: a8f6a6025da28566afe2d24f183879539dc7c81007bdad18f21f336c8b2d3efb
                                                        • Instruction ID: d873991b42ab427849d7912d1bc08e1a90b3d83de0905102757bcb81c149afeb
                                                        • Opcode Fuzzy Hash: a8f6a6025da28566afe2d24f183879539dc7c81007bdad18f21f336c8b2d3efb
                                                        • Instruction Fuzzy Hash: DF31D939531115CFFB047B72FA0F11C3F22BF492027108A69F026C10E59FBA58DA9B20
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0103E12F, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserExceptionDispatcher.NTDLL ref: 0103E14B
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.911634062.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                                        Similarity
                                                        • API ID: DispatcherExceptionUser
                                                        • String ID:
                                                        • API String ID: 6842923-0
                                                        • Opcode ID: 63e5703df7d5cdb48d5a93477c05affdab53ae306b67d12377715116d5b2421f
                                                        • Instruction ID: 6ec7a9d3af0df0f289591edb4fa28b997ff785221c0d3509a019e1c3e6d16e13
                                                        • Opcode Fuzzy Hash: 63e5703df7d5cdb48d5a93477c05affdab53ae306b67d12377715116d5b2421f
                                                        • Instruction Fuzzy Hash: 5E31C839531005CFFB047B72FA0F15C3F26BF49202B248A29F026810E59FBA58DADB60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 061FC079, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 061FC107
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.913936617.00000000061F0000.00000040.00000001.sdmp, Offset: 061F0000, based on PE: false
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 56e6bf40c4a0819c0149d244c8feed5c371d6f3af5e7e6ecaddb6e57b0fcaa57
                                                        • Instruction ID: d3ee934d2fd98780422418c31982bdcfbf8c8d44f1bc71008b796a2e7bd294b6
                                                        • Opcode Fuzzy Hash: 56e6bf40c4a0819c0149d244c8feed5c371d6f3af5e7e6ecaddb6e57b0fcaa57
                                                        • Instruction Fuzzy Hash: DA21E0B5D01208EFDB10CFA9D985ADEBBF8EB48324F14841AE914B3310D378A954CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 061FC080, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 061FC107
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.913936617.00000000061F0000.00000040.00000001.sdmp, Offset: 061F0000, based on PE: false
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: e9dba7e7a74c97864ad02c9e17d8bafb727d228b0de994adc4b493e4043afed4
                                                        • Instruction ID: 9f32ea3a9348c970e7d24428f4bac8df893287cb858a3c258306278d9f4ac326
                                                        • Opcode Fuzzy Hash: e9dba7e7a74c97864ad02c9e17d8bafb727d228b0de994adc4b493e4043afed4
                                                        • Instruction Fuzzy Hash: 7921C4B5900258DFDB10CF99D984ADEBBF8FB49324F14841AE914A3310D378A954CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00F8D4F0, Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.911380262.0000000000F8D000.00000040.00000001.sdmp, Offset: 00F8D000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 29fb12800264a6ea61b0155e743675e1938d65c0051080fec21e737fb9c036f1
                                                        • Instruction ID: 3ad91a0ca808e9b748c751371119323cc49473d049949c757e1aaadea66b93a9
                                                        • Opcode Fuzzy Hash: 29fb12800264a6ea61b0155e743675e1938d65c0051080fec21e737fb9c036f1
                                                        • Instruction Fuzzy Hash: E321F1B2904244DFDB04EF14D9C0B66BF65FF98328F28856AE9054E286C336D845EBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00F9D030, Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.911418501.0000000000F9D000.00000040.00000001.sdmp, Offset: 00F9D000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: aff0e7373e590578e0ce7b51091880612d2a789f67d64a66610862acf257702b
                                                        • Instruction ID: 99be4a7ae41ce2361cefe8ac3bef33882ac76fa5c8d70fed95239921fe185edb
                                                        • Opcode Fuzzy Hash: aff0e7373e590578e0ce7b51091880612d2a789f67d64a66610862acf257702b
                                                        • Instruction Fuzzy Hash: 4A21F5B1508244DFEF14DF14D9C0B26BBA5FB88324F34C569D9094B25AC37AD846DA61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00F9D005, Relevance: .1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.911418501.0000000000F9D000.00000040.00000001.sdmp, Offset: 00F9D000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9e53663e14c9278e6442a6e04f94206f04013484818a8754a5f59522e4ff1dab
                                                        • Instruction ID: 509e008d34b2697cf96d04e2570ed97be58a4105d2a856bbed57d5a25f4f86a5
                                                        • Opcode Fuzzy Hash: 9e53663e14c9278e6442a6e04f94206f04013484818a8754a5f59522e4ff1dab
                                                        • Instruction Fuzzy Hash: CB217E7550D3C08FDB13CB20C890711BF71AB46214F29C1DBD8848F6A7C27A984ACB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00F8D4EB, Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.911380262.0000000000F8D000.00000040.00000001.sdmp, Offset: 00F8D000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9d191f27037774c7175ec00988a523654d6fbb25c1dda66acccd64c723f85ba2
                                                        • Instruction ID: 23733b8cabd39d6129afa8e25140352734b6b6f64a69d0ba852b5b7d1f2d7575
                                                        • Opcode Fuzzy Hash: 9d191f27037774c7175ec00988a523654d6fbb25c1dda66acccd64c723f85ba2
                                                        • Instruction Fuzzy Hash: 5411B176804280DFCF15DF10D9C4B56BF71FF98324F2886AAD8050B656C336D85ADBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 061D3465, Relevance: .3, Instructions: 320COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.913892478.00000000061D0000.00000040.00000001.sdmp, Offset: 061D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8e549626075f6a6e0d09021a7c91c025e15f8cdd249a6082dc3a5c9194fda0d1
                                                        • Instruction ID: 4328a2013f5c1aab5f3a2a14f3d7d39120cb8a8ec82e74760e549bcc069d32bf
                                                        • Opcode Fuzzy Hash: 8e549626075f6a6e0d09021a7c91c025e15f8cdd249a6082dc3a5c9194fda0d1
                                                        • Instruction Fuzzy Hash: 8181E83B59B1A67ED35ACA7A0CECEEB7F38D41A4C8B8D0671F5E254812C2740445C3E6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%