Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Delivery 9073782912,pdf.exe

Overview

General Information

Sample Name:Delivery 9073782912,pdf.exe
Analysis ID:356845
MD5:8b22f061055264b77361c6fe7941e25f
SHA1:8251185b5bc6cb83e99139a7e480541a0363bc43
SHA256:7fbc2450a78cb9a8b033dd654c2b2378a7e9f3ea7f89bd0db57f907685a2c4cf
Tags:DHLexeSnakeKeylogger
Infos:

Most interesting Screenshot:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
PE file contains section with special chars
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "info@3ptechnik.xyzgF*BS#rb4smtp.3ptechnik.xyz"}}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
    00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
        00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880JoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.Delivery 9073782912,pdf.exe.400000.0.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
              8.2.Delivery 9073782912,pdf.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                  0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                    0.2.Delivery 9073782912,pdf.exe.4f22e08.3.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "info@3ptechnik.xyzgF*BS#rb4smtp.3ptechnik.xyz"}}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Delivery 9073782912,pdf.exeReversingLabs: Detection: 27%
                      Machine Learning detection for sampleShow sources
                      Source: Delivery 9073782912,pdf.exeJoe Sandbox ML: detected
                      Source: 8.2.Delivery 9073782912,pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
                      Source: 0.2.Delivery 9073782912,pdf.exe.e10000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: Delivery 9073782912,pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Uses insecure TLS / SSL version for HTTPS connectionShow sources
                      Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.4:49746 version: TLS 1.0
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: Delivery 9073782912,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_031A1750
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_0331AB94
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_0331CB88
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_0843D9E4
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_0843E5D8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_0843E5D8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_0843E13C
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_0843E2AC
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_0843E2AC
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_0843E2B8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_0843E2B8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then xor edx, edx0_2_0843E504
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then xor edx, edx0_2_0843E510
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_0843E5CF
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_0843E5CF

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: Joe Sandbox ViewIP Address: 162.88.193.70 162.88.193.70
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.4:49746 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.com
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/HB&lTN
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org4Sk
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.orgD8Sk
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.651697965.000000000896B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comM
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.651697965.000000000896B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comh
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://freegeoip.app
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.654071949.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.654071949.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comscr
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655756100.000000000898E000.00000004.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655604692.000000000898E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655879593.0000000008958000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655913964.000000000898E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.660621776.000000000898B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersS
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.656437070.000000000898E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersX
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.653160870.000000000898D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cndd
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krN.TTF
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krs-e
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652165341.0000000008952000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comnm
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/84.17.52.38
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/84.17.52.38x
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app4Sk
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000008.00000002.912571847.0000000002CD2000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746

                      System Summary:

                      barindex
                      PE file contains section with special charsShow sources
                      Source: Delivery 9073782912,pdf.exeStatic PE information: section name: **!@q|@
                      PE file has nameless sectionsShow sources
                      Source: Delivery 9073782912,pdf.exeStatic PE information: section name:
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A05000_2_031A0500
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A45000_2_031A4500
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A2C280_2_031A2C28
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A36280_2_031A3628
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A24D80_2_031A24D8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A30C00_2_031A30C0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A54080_2_031A5408
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A19800_2_031A1980
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_033122400_2_03312240
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0331AB4C0_2_0331AB4C
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_033122300_2_03312230
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0331A0B00_2_0331A0B0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0331A0A00_2_0331A0A0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_033180E40_2_033180E4
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0331C0D80_2_0331C0D8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_084349440_2_08434944
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_084348640_2_08434864
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0843EC280_2_0843EC28
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0843EC380_2_0843EC38
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_010381B08_2_010381B0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_010305808_2_01030580
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_0103B2B08_2_0103B2B0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_01037B898_2_01037B89
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_010346308_2_01034630
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_01030BE08_2_01030BE0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_010310F88_2_010310F8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_010316128_2_01031612
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_010359E08_2_010359E0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D0EF88_2_061D0EF8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D37F08_2_061D37F0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D3FF08_2_061D3FF0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D47F08_2_061D47F0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D4FF08_2_061D4FF0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D1C508_2_061D1C50
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DF4D88_2_061DF4D8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D00408_2_061D0040
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D08A88_2_061D08A8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DE9608_2_061DE960
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D0E998_2_061D0E99
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D47908_2_061D4790
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D4F908_2_061D4F90
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D3F928_2_061D3F92
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D37E08_2_061D37E0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DF4788_2_061DF478
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D34658_2_061D3465
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D00068_2_061D0006
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D79328_2_061D7932
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F00408_2_061F0040
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F40D88_2_061F40D8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F08288_2_061F0828
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F48C08_2_061F48C0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F29708_2_061F2970
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F17F88_2_061F17F8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F10108_2_061F1010
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F31588_2_061F3158
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F1FE08_2_061F1FE0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F39408_2_061F3940
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F07C88_2_061F07C8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F00068_2_061F0006
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F41288_2_061F4128
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F0FB08_2_061F0FB0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F48B18_2_061F48B1
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F290F8_2_061F290F
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F17988_2_061F1798
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F30F88_2_061F30F8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F1F818_2_061F1F81
                      Source: Delivery 9073782912,pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000000.645678736.0000000000E97000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.737404793.00000000033B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.737404793.00000000033B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename45ZFWF8N.exe4 vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.910914612.0000000000B56000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.910706029.0000000000466000.00000040.00000001.sdmpBinary or memory string: OriginalFilename45ZFWF8N.exe4 vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.910852766.00000000007A7000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exeBinary or memory string: OriginalFilename vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Delivery 9073782912,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Delivery 9073782912,pdf.exeStatic PE information: Section: **!@q|@ ZLIB complexity 1.00040635487
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Delivery 9073782912,pdf.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Delivery 9073782912,pdf.exeReversingLabs: Detection: 27%
                      Source: Delivery 9073782912,pdf.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
                      Source: Delivery 9073782912,pdf.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
                      Source: Delivery 9073782912,pdf.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
                      Source: Delivery 9073782912,pdf.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
                      Source: unknownProcess created: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe 'C:\Users\user\Desktop\Delivery 9073782912,pdf.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe {path}
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess created: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Delivery 9073782912,pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Delivery 9073782912,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6980, type: MEMORY
                      Source: Yara matchFile source: 8.2.Delivery 9073782912,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.4f22e08.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.raw.unpack, type: UNPACKEDPE
                      Source: Delivery 9073782912,pdf.exeStatic PE information: section name: **!@q|@
                      Source: Delivery 9073782912,pdf.exeStatic PE information: section name:
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_03317C98 push esp; ret 0_2_03317C99
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_084325E0 pushad ; ret 0_2_084325E1
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DBC05 push 8B000003h; iretd 8_2_061DBC0C
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DB507 push es; iretd 8_2_061DB604
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DB0D0 pushfd ; iretd 8_2_061DB0D1
                      Source: initial sampleStatic PE information: section name: **!@q|@ entropy: 7.99766880008
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.94676615922
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6980, type: MEMORY
                      Source: Yara matchFile source: 8.2.Delivery 9073782912,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.4f22e08.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D3465 rdtsc 8_2_061D3465
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe TID: 7028Thread sleep time: -55000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe TID: 7016Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe TID: 7028Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging:

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A1750 CheckRemoteDebuggerPresent,0_2_031A1750
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D3465 rdtsc 8_2_061D3465
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D1C50 LdrInitializeThunk,KiUserExceptionDispatcher,8_2_061D1C50
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      bar